Release Notes
Unless otherwise noted, all of the following enhancements, known issues, and resolved issues apply to PingDirectory Server, PingDataSync Server, PingDirectoryProxy Server, and PingDataMetrics Server. Updated March 1, 2024.
PingDirectory suite of products 9.2.0.5 (March 2024)
Added a tool to identify obsolete replication domains
New DS-47373 PingDirectory
Added the check-replication-domains
tool, which you can run to check the current list of known replication domains in changelogDb
and find any obsolete domains present. The tool defaults to the server’s root directory. Learn more about Discovering obsolete replicas.
Improved timeouts for replication operations
Improved DS-47144 PingDirectory, PingDirectoryProxy, PingDataSync
Improved various timeouts for dsreplication enable
and remove-defunct-server
operations to enable them to scale with the size of the topology. Smaller-sized topologies shouldn’t be impacted by these changes.
Increased timeouts for mirrored subtree operations
Improved DS-46597 PingDirectory
Increased timeouts for mirrored subtree operations to provide better support for large or distributed topologies.
Improved dsreplication
performance for large or high-latency topologies
Improved DS-47083, DS-47084 PingDirectory
Improved the performance of dsreplication
commands in topologies with a large number of PingDirectory servers or high network latency.
Improved the response time of dsreplication
Improved DS-47104 PingDirectory
Improved the response time of the dsreplication
command.
Added logging history for the setup
tool
Improved DS-47831 PingDirectory
A copy of the setup
script output is now saved to an archive file in the /history
directory. This should help with troubleshooting installations where multiple server images have been extracted on top of each other and setup
has been run multiple times.
Fixed a NullPointerException
caused by an unconfigured alert handler
Fixed DS-47455 PingDirectory, PingDirectoryProxy, PingDataSync, PingDataMetrics
Fixed an issue where a NullPointerException
was thrown when an alert or alarm was raised and one or more of the alert handlers weren’t configured. This most commonly happened when the server was being stopped.
Now, instead of throwing a NullPointerException
, the server logs this message: Alert notification '<notification>' will not be processed by alert handler '<alert_handler>' since that alert handler does not have configuration.
Fixed an encoding issue with UTF-8 in URI search filters
Fixed DS-48300 PingDirectory, PingDataSync
Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.
Fixed a potential NullPointerException
during replication
Fixed DS-47289 PingDirectory
Fixed a potential NullPointerException
that the server could throw during replication if missing changes were found for a replica, but that replica didn’t exist on all servers. This scenario can happen when an obsolete replica is purged concurrent to the check for missing changes.
Fixed an issue where obsolete replicas weren’t always purged
Fixed DS-47369 PingDirectory
Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.
Fixed a replication issue where a suffix could have multiple generation IDs
Fixed DS-47695 PingDirectory
The generation ID, represented by ds-sync-generation-id
, is a value used by replication to determine if replicas are compatible and can be replicated. To address the issue of multiple generation IDs for the same suffix, the generation ID is now calculated independent of the disk order in which the entries are stored. This new behavior is helpful when entries are imported on new servers instead of initializing them.
Fixed an issue with dsreplication status
information
Fixed DS-47326 PingDirectory
Fixed an issue where running the dsreplication status
--displayservertable
command sometimes failed to display peer server statuses or generation IDs.
Fixed an incorrect suggestion in the replication terminal output
Fixed DS-47878 PingDirectory
Fixed a problem where dsreplication initialize
suggested using the --force
option if you were unable to connect to the server properly.
Fixed a performance issue when adding servers to large, dispersed topologies
Fixed DS-46664 PingDirectory
Added caching logic to address a performance issue that occurred when adding new servers to large, replicated topologies spanning multiple geographic locations.
Fixed an issue where the server could throw a DATABASE_LOCK_CONFLICT
error
Fixed DS-45949 PingDirectory
Fixed an issue where aborting a transaction on a PingDirectory server could sometimes fail to release a write-lock, causing all subsequent transactions to fail with the error DATABASE_LOCK_CONFLICT
until the server was restarted.
PingDirectory suite of products 9.2.0.4 (November 2023)
Faster server backup and recovery
Improved DS-45157 PingDirectory
We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.
Fixed an issue with Changelog Password Encryption in replicated environments
Fixed DS-48205 PingDirectory
We fixed an issue where the Changelog Password Encryption plugin wouldn’t work properly in a replicated environment if you changed a password using a Password Modify extended operation. The password change is now propagated to all replicas.
PingDirectory suite of products 9.2.0.3 (September 2023)
Added a new configuration property to the Config File Handler backend
New DS-45254, DS-47110, DS-47401 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added the configuration property insignificant-config-archive-base-dn
to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under the specified base DN(s).
If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration will be added to the configuration archive, but that archived configuration file may be removed after the next configuration change.
By default, this property will apply to the topology registry subtree.
Enhanced the dsreplication enable
command
Improved DS-46902 PingDirectory
The dsreplication enable
command can now add a new server to an existing topology with the same major and minor release version but a newer maintenance level.
Fixed an issue causing a null pointer exception
Fixed DS-45527 PingDataSync
Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.
Fixed an issue allowing search operations to last beyond the time limit
Fixed DS-47585 PingDirectory
Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. Previously, the server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys (for example, when evaluating a range or substring filter component that could match a very large number of entries), the allowed time limit could be exceeded in that portion of the processing.
PingDirectory suite of products 9.2.0.2 (August 2023)
Fixed a security issue
Security DS-47632 PingDirectory
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.
PingDirectory suite of products 9.2.0.1 (May 2023)
Added the cache-duration
property
New DS-47166 PingDirectory
Critical: Added the property cache-duration
to allow optional caching of key managers retrieved by a PKCS11 Key Manager Provider.
Fixed an issue causing missing IntraSync User
operational attributes
Fixed DS-46695 PingDataSync
Fixed an issue that caused missing IntraSync User
operational attributes after running the manage-profile replace-profile
subcommand.
Fixed an issue with changing passwords within minAge
Fixed DS-46882 PingDirectory
Fixed an issue where attempting to change a password that’s within the minAge
now responds with an UNABLE_TO_PERFORM
code rather than INVALID_CREDENTIALS
.
Improved the response time of dsreplication enable
Improved DS-46906 PingDirectory
Improved the response time of the dsreplication enable
command on large topologies with more than 20 servers.
PingDirectory suite of products 9.2.0.0 (December 2022)
Added new access control bind rules and a new access control target
New DS-38367, DS-38368, DS-38369 PingDirectory
-
Added a new "secure" access control bind rule that can be used to make access control decisions based on whether the client is using a secure connection (for example, LDAPS or LDAP with StartTLS) to communicate with the server. Using the bind rule secure="true" indicates that the ACI only applies to requests received over a secure connection, while secure="false" indicates that the ACI only applies to requests received over an insecure connection.
-
Added a new "connectioncriteria" access control bind rule that can be used to make access control decisions based on whether the client connection matches a specified set of connection criteria. The value of the bind rule can be either the name or the full DN of the configuration object that defines the desired connection criteria.
-
Added a new "requestcriteria" access control target that can be used to make access control decisions based on whether the operation request matches a specified set of request criteria. The value of the target can be either the name or the full DN of the configuration object that defines the desired request criteria.
For more information, see ACI bind rules and ACI targets.
Added an audit data security recurring task
New DS-42172 PingDirectory
Added a new "audit data security" recurring task that can be used to regularly examine server data for potential security-related issues. For more information, see Auditing data content.
Added new stats to track operations when using UnboundIDSyncDestination
New DS-44855 PingDataSync
Added new stats to track operations on account state when using an UnboundIDSyncDestination. They can be found on the monitor entry for the sync pipe associated with the destination.
Added support for Java 17
New DS-45766 PingDirectory, PingDirectoryProxy, PingDataSync
The server can now run on Java 17.
PingDataMetrics does not support Java 17. |
Updated Groovy
New DS-45970
Updated Groovy support from Groovy 2.x to Groovy 3.x for Java 17 compatibility. This change might introduce some minor incompatibilities in Groovy script support (for example, it appears that import statements split across multiple lines are no longer allowed), so deployments making use of Groovy-scripted extensions should carefully test these extensions in a temporary standalone instance to verify compatibility and make any necessary changes before updating existing instance.
Added a SCIM 2.0 sync destination
New DS-46108 PingDataSync
Added a SCIM 2.0 sync destination. For more information, see Configuring synchronization to a SCIM 2.0 server.
Added new password storage schemes
New DS-46018 PingDirectory
Added new password storage schemes that provide support for the Argon2i, Argon2d, and Argon2id variants of the Argon2 password hash and proof-of-work function. We previously offered only a single Argon2 password storage scheme (which used Argon2i behind the scenes), but the new schemes make it possible to explicitly indicate which variant should be used for encoding passwords.
For more information about password storage schemes, see Supported password storage schemes.
Added an HTTP servlet extension to support Prometheus
New DS-46593
Added an HTTP servlet extension that allows the values of numeric monitor attributes to be published as metrics in a form that can be consumed by a Prometheus monitoring server. For more information, see Monitoring server metrics with Prometheus.
Fixed issues with data security auditors
Fixed DS-12140, DS-42173, DS-46123, DS-46124, DS-46125, DS-4782, DS-4783, DS-4784, DS-5130 PingDirectory
-
Fixed an issue in which the locked account data security auditor did not include the number of validator-locked entries in the summary generated when completing processing for a backend.
-
Fixed an issue in which the expired password data security auditor could incorrectly report that an entry has an old password even when it has been changed more recently than the configured password evaluation age.
-
Fixed an issue with the weakly encoded password data security auditor that could prevent it from detecting passwords encoded with certain schemes.
-
Updated the weakly encoded password data security auditor so passwords encoded using unsalted SHA-1 digests, salted SHA-1 digests, salted MD5 digests, and the MD5 variant of the CRYPT password storage scheme are now considered weak by default.
-
Updated the Server SDK to add support for creating custom data security auditors.
For more information about data security auditors, see Auditing data content.
Removed support for incremental backups
Fixed DS-44442 PingDirectory
Removed support for incremental backups, which had been deprecated since the 8.3.0.0 release. As an alternative, we recommend using LDIF exports, which are more useful, more portable, and much more compressible than full backups, and they can be taken more frequently than full backups without consuming as much disk space. Further, the extract-data-recovery-log-changes tool can be used in conjunction with either LDIF exports or backups to replay changes recorded in the data recovery log since the time the export or backup was created.
Exploded indexes are no longer created unexpectedly
Fixed DS-44966 PingDirectory
Fixed an issue where exploded indexes were unexpectedly created following an unclean shutdown.
Fixed an issue with dsreplication
Fixed DS-45044 PingDirectory
Fixed an issue with the dsreplication
tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.
The hibernate-validator library in the management console has been updated to version 6.2.1
Fixed DS-45461 PingDirectory
To close a vulnerability found in hibernate-validator 5.4.3 in the management console, we are updating the console to version 6.2.1. This newer version requires use of jakarta-validator 2.0.2 rather than the older javax-validator 1.1.0, therefore we are upgrading directory to use jakarta-validator 2.0.2 to preserve compatibility.
When moving to version 2, javax-validator was moved to jakarta, but still uses the javax namespace, and therefore no code changes need to be made other than dependencies. In the future, if we move to jakarta-validator v3 however, we will need to move to the jakarta namespace.
Fixed an issue causing the replication initialize task to fail
Fixed DS-45567 PingDirectory
Fixed an issue where a replication initialize task that ran longer than the configured connection idle-timeout-limit would cause the initialize to fail.
Resource limits are now set for the topology admin user
Fixed DS-45638 PingDirectory
Fixed an issue where resource limits for the topology admin user created during replication enable were not set.
Fixed an issue with replication enablement
Fixed DS-45960 PingDirectory
Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.
Fixed an issue causing slow response time
Fixed DS-46017 PingDirectory
Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.
Fixed an issue causing sync to slow down
Fixed DS-46119 PingDataSync
Fixed an issue encountered when using PingDataSync with a PingOne Sync Destination that caused sync to slow down significantly after 5 minutes and generate extraneous requests to the sync destination.
Fixed an issue preventing changes to certain password policy state attributes from being applied
Fixed DS-46121 PingDataSync
Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.
Exposed previously hidden properties in the PingDirectoryProxy server
Fixed DS-46129 PingDirectoryProxy
Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request
and maximum-modifications-per-modify-request
properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.
The migrate-ldap-schema
tool now removes incorrect single quotes
Fixed DS-46169 PingDirectory
Modified the migrate-ldap-schema
tool to remove incorrect single-quotes enclosing the attribute type syntax OID in schemas being imported from Microsoft Active Directory.
Users are no longer prevented from changing their own passwords
Fixed DS-46392 PingDirectory,PingDirectoryProxy
Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the Directory Proxy Server.
New servers can now be enabled into a large topology
Fixed DS-46436 PingDirectory
Fixed an issue where new servers could not be enabled into a large topology.
Enhanced the audit-data-security
tool to use new data security auditors
Improved PingDirectory
The audit-data-security
tool is used to identify potential risks or other notable security characteristics contained in directory data. This tool has been enhanced to use new data security auditors defined in the server configuration. The new data security auditors can identify:
-
Accounts with password policy state issues that might currently or soon affect their usability.
-
Accounts with an activation time in the future, an expiration time in the past, or an expiration time in the near future.
-
Accounts with passwords encoded using deprecated password storage schemes.
-
Accounts for users that have not authenticated in longer than a specified length of time.
-
Accounts that are configured to use a nonexistent password policy and are therefore unable to authenticate.
-
Entries that match a specified search filter.
Also, the locked account auditor is now able to identify validation-locked accounts, and the weakly encoded password auditor can now flag passwords encoded with SMD5, SHA, and SSHA, and also the MD5 variant of the CRYPT scheme.
For more information about the audit-data-security
tool, see Auditing data content.
Improved logging with the addition of new features
Improved PingDirectory
A number of features have been added to improve logging and the summarize-access-log
tool to provide a better experience for administrators. The summarize-access-log
tool already provided a list of the domain names of the target users for the most common bind failures, but the following metrics have been added to improve the detection of possible security issues:
-
The IP addresses of the clients with the most failed bind attempts (in case a single client is trying to access multiple accounts, as might happen in a credential stuffing attack).
-
The addresses of the users with the most consecutive authentication failures (that is, most failures between successes or most failures without a success).
-
The identification of filters with parentheses, ampersands, pipes, single quotes, and double quotes, which might indicate an unsuccessful LDAP filter injection attempt.
-
The identification of filters with the words "select" and "from", which might indicate an unsuccessful SQL injection attempt.
-
The identification of the most common used and missing privileges.
-
The tracking of the number of components used in filters as an increase in the number of filters with more components, which might suggest a successful injection attempt.
For more information about the summarize-access-log
tool, see Logging Tools
Access control improvements
Improved PingDirectory
PingDirectory provides a number of features to manage control to data within the data store including Access Control Instructions and connection criteria. In this release, the access control handler now provides support for a bind rule that can make it possible to make access control decisions based on whether the client connection is secure or whether the client connection matches a given set of connection criteria or if a target that makes it possible to determine whether the rule applies to a given request based on request criteria.
Updated global configuration
Improved DS-38078 PingDirectory
Updated the global configuration to define configuration properties that can be used to set alternative size limit, time limit, idle time limit, and lookthrough limit values for unauthenticated clients. By default, the server will use the same default limits for both authenticated and unauthenticated clients, but you can now set limits for unauthenticated clients that are different from the default limits imposed for authenticated clients. It is still possible to override these limits on a per-user basis with operational attributes in the user’s entry.
Added support for generating digital signatures with a key obtained from an encryption settings definition
Improved DS-38277
Added support for generating digital signatures with a key obtained from an encryption settings definition. By default, the server’s preferred encryption settings definition will be used to obtain the signing key, but you can use the signing-encryption-settings property in the crypto manager configuration to choose an alternative definition.
Previously, signatures were generated using a legacy key shared among servers in the topology, which could make it difficult to validate signatures outside of the topology. The legacy key will continue to be used in environments without any encryption settings definitions.
Added support for HTTP forward proxy
Improved DS-40345
Updated the server to add HTTP forward proxy support for several server components that may need to establish HTTP and HTTPS connections to external services. Updated components include:
-
The Amazon Key Manager cipher stream provider
-
The Amazon Secrets Manager cipher stream provider
-
The Amazon Secrets Manager passphrase provider
-
The Amazon Secrets Manager password storage scheme
-
The Azure Key Vault cipher stream provider
-
The Azure Key Vault passphrase provider
-
The Azure Key Vault password storage scheme
-
The PingOne pass-through authentication plugin
-
The PingOne sync source and destination
-
The Pwned Passwords password validator
-
The SCIMv1 sync destination
-
The SCIMv2 sync destination
-
The Twilio alert handler
-
The Twilio OTP delivery mechanism
-
The UNBOUNDID-YUBIKEY-OTP SASL mechanism handler
The replication-purge-obsolete-replicas
property is now set to true by default
Improved DS-41467 PingDirectory
The replication-purge-obsolete-replicas
global configuration property is now set to true by default for new and upgraded PingDirectory servers so that obsolete replicas are purged.
The replace-certificate
tool now re-prompts user for path to valid file containing certificates
Improved DS-45968
Updated the replace-certificate
tool’s behavior when running in interactive mode. Previously, when it prompted the user for the path to a file containing one or more certificates to be imported, it would exit with an error if the provided path represented a file that did not contain valid certificate information. It will now re-prompt the user for the path to a valid file after displaying the error message.
Updated replication enable synopsis
Improved DS-46127 PingDirectory
Updated replication enable synopsis to mention that schema initialization is part of the enable process and explain that the order of provided servers is significant for the initialization.
Updated the dsconfig
tool
Improved DS-46313
Updated the dsconfig
tool to ensure that it uses the correct authentication type when applying changes to all servers in a server group. Previously, it would always attempt to use simple authentication, even if the connection to the initial server was authenticated using a different mechanism.
Enhanced the replication server
Improved DS-46332 PingDirectory
The replication server now continues to handle incoming replication connections even when there is an unexpected exception.
Updated Amazon AWS external server configuration
Improved DS-46615
Updated the Amazon AWS external server configuration to provide more control over the method used to authenticate to AWS. Previously, it was only possible to authenticate with an access key or an IAM role. We have added an option to use an IRSA role, and we have also added an option to use a default credentials provider chain that attempts to identify an appropriate authentication method for cases in which the server is running in the AWS environment (for example, EC2 or EKS) based on locally available information like system properties and environment variables.
dsreplication enable
subcommand description differs based on operating system
Issue DS-46127 PingDirectory
There is a known issue with the description of the dsreplication enable
subcommand differing based on the operating system. On MacOS, an updated description is shown:
"Update the configuration of the servers to replicate the data under the specified base DN(s). If one of the two servers is already part of an existing replication topology, then that server must be specified as the first server. This is because the schema of the second server will be updated to match the schema of the first. The configuration of all the servers in the existing topology will also be updated, so it is sufficient to perform this operation once for each new server that is added to the topology. The server-to-server replication communication is always secured with SSL."
But on some operating systems, including Windows and CentOS, the older description is shown that doesn’t mention the schema initialization.
Support for HashiCorp Vault password storage schemes
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine for password storage schemes. Learn more about KV version 1 in the Vault KV secrets engine documentation.
PingDirectory suite of products 9.1.0.4 (November 2023)
Added a configuration property to the Config File Handler backend
New DS-45254, DS-47110, DS-47401 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added the configuration property insignificant-config-archive-base-dn
to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under specified base DNs.
If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration gets added to the configuration archive, but that archived configuration file can be removed after the next configuration change.
By default, this property applies to the topology registry subtree.
Faster server backup and recovery
Improved DS-45157 PingDirectory
We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.
Enhanced the dsreplication enable
command
Improved DS-46902 PingDirectory
The dsreplication enable
command can now add a new server to an existing topology with the same major and minor release version but a newer maintenance level.
Improved the response time of dsreplication enable
Improved DS-46906 PingDirectory
Improved the response time of the dsreplication enable
command on large topologies with more than 20 servers.
Fixed an issue with the purging of obsolete replicas
Fixed DS-47369 PingDirectory
Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.
Fixed a potential NPE for missing changes in replication
Fixed DS-47289 PingDirectory
Fixed a possible null pointer exception in replication where missing changes were found for a replica, but that replica didn’t exist on all servers. This could have occurred in scenarios where the replica was obsolete and purged concurrent to the check for missing changes.
Fixed an issue with the remove-defunct-server
command
Fixed DS-47784 PingDirectory
Fixed an issue with running remove-defunct-server
against servers configured with an AES256 password storage scheme. In these cases, the encryption settings were not initialized before initializing the password policy components.
Fixed an error with replicated PingDirectory server topologies
Fixed DS-47103 PingDirectory
Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.
Fixed an issue with index name length
Fixed DS-47182 PingDirectory
Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.
Fixed an issue where adding a hotfix server to a topology failed
Fixed DS-46807 PingDirectory
Fixed an issue where dsreplication enable
failed to add a server with a hotfix build to an existing topology with a previous build. The hotfix server would attempt to become topology master immediately, interrupting proper initialization.
Fixed an issue with nondescript logging for manage-profile replace-profile
errors
Fixed DS-46983 PingDirectory
Fixed an issue where errors that occurred during a manage-profile replace-profile
operation would only log Batch command failed
entries.
Batched dsconfig
commands that are executed during manage-profile replace-profile
will now report a detailed cause for the failing command.
PingDirectory suite of products 9.1.0.3 (August 2023)
Fixed a security issue
Security DS-47632 PingDirectory
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory Server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.
PingDirectory suite of products 9.1.0.2 (March 2023)
Fixed an issue with resource limits for the topology admin user
Fixed DS-45638 PingDirectory
Fixed an issue where resource limits for the topology admin user created during replication enable were not set.
Fixed an issue with password policy state attributes
Fixed DS-46121 PingDataSync
Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.
PingDirectory suite of products 9.1.0.1 (November 2022)
Fixed an issue with the dsreplication
tool
Fixed DS-45044 PingDirectory
Fixed an issue with the dsreplication
tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.
Fixed an issue with replication enablement
Fixed DS-45960 PingDirectory
Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.
Fixed an issue with slow response times on PingDirectory servers
Fixed DS-46017 PingDirectory
Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.
Fixed an issue preventing users from changing their passwords
Fixed DS-46392 PingDirectory, PingDirectoryProxy
Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the Directory Proxy Server.
Updated the PingDirectoryProxy server to expose properties in global configuration
Improved DS-46129 PingDirectoryProxy
Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request
and maximum-modifications-per-modify-request
properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.
PingDirectory suite of products 9.1.0.0 (June 2022)
Added support to sanitize access logs to protect sensitive information
New
Log files can contain potentially contain sensitive or identifiable information that you might not necessarily want recorded in the clear. The server can now be configured to support sanitizing access logs as they are being written. It is available for any writer-based or JSON-formatted access log, and elements in the log message can either be sanitized, redacted, or omitted altogether. This includes the ability to genericize diagnostic messages written to the access or error log. For more information, see Log sanitization.
Added support for processing JSON-formatted access logs
New
PingDirectory provides a robust logging system allowing for detailed analysis of the server’s functioning. Included is support for creating log files written using JSON format. The summarize-access-log
command, which is used to display a number of metrics about operations processed within the server, now supports processing JSON formatted access logs.
Updated Directory REST API
New
The Directory REST API allows developers to create customized application for managing the entries in a directory instance. The Directory REST API now supports controls previously only available through LDAP calls. This includes the ability to do joins allowing for advanced data modeling of relationships.
Added conflict error messages for replicated PingDirectory deployments
New
In deployments with replicating PingDirectory instances, conflicts can occur if the same entry is added to different servers at the same time. Many conflicts can be handled automatically and, in such cases, the server whose add attempt creates a conflict, now returns a CONFLICT
result in the replication response control and LDAP result code.
JSON-formatted access logger updated
Improved DS-44507, DS-45243, DS-45530
Updated the JSON-formatted access logger to include the requester IP address in disconnect, security negotiation, and client certificate log messages when appropriate.
PingDataSync Server supports PingOne as a sync destination
Improved PingDataSync
PingOne recently added support for multi-valued attributes. Now, using PingOne as a sync destination, multi-valued attributes can be synchronized as either a one-time data migration or as part of a continual real-time synchronization strategy.
Synchronize data to custom attributes defined in the PingOne environment
Improved PingDataSync
When using PingOne as a sync destination, PingDataSync Server provides support for synchronizing data to custom attributes that are defined in the PingOne environment. This includes attributes defined as multi-valued or JSON in PingOne.
Repeating cycle when resetting a password
Issue PingDirectory
If your password policy for an admin user (such as a topology administrator or rootDN) is set with |
An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password.
One recommendation to work around this issue is to not set these password policy attributes on administrator accounts that are stored in cn=config
. If you do need --set
force-change-on-reset:true
or --set
force-change-on-add:true
, you must clear the mustChangePassword
flag by running the following command each time you change the password:
$ bin/manage-account set-must-change-password \
--mustChangePassword false \
--targetDN cn=<admin cn>
setup
tool failure due to Bouncy Castle JAR files
Issue
The setup
command might fail on Windows operating systems because of the presence of Bouncy Castle JAR files in the lib
directory that begin with bc
. The JAR files are mentioned in an error message similar to the following: An
unexpected error occurred while attempting to copy the non-FIPS Bouncy
Castle jar file into the server’s classpath: FileSystemException:
lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it
is being used by another process
. A temporary workaround is to delete the JAR files that begin with bc
from the lib
directory before attempting to run setup
again.
Bouncy Castle libraries are not removed from the lib
directory.
Issue DS-46007
If you update an existing installation to the 9.1 release of the server and then subsequently want to revert that update, Bouncy Castle libraries from the 9.1 release might not be properly removed from the lib
directory, resulting in both the older and newer versions of the library being in the lib
directory. This should not cause any problems with the server, but it might result in warning messages in the server’s error log about different versions of the same JAR file in the classpath (for example, The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bc-fips-1.0.2.1.jar, bc-fips-1.0.2.3.jar
and The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bctls-fips-1.0.11.4.jar, bctls-fips-1.0.13.jar
). This message can be safely ignored. You can eliminate this warning by stopping the server and manually removing the newer versions of the jar files referenced in the warning message.
JSON-formatted controls rejected
Issue DS-46016 PingDirectory, PingDirectoryProxy
JSON-formatted join request controls with their criticality set to false
are rejected as if their criticality were true
by non-search requests.
Fixed an issue that prevented the server from refreshing monitor data
Fixed DS-41468
Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced. For information on log sanitization, see Log sanitization.
Fixed the status
tool
Fixed DS-44481
The status
tool now shows the current collect-support-data
version.
Fixed key and trust store PIN issues
Fixed DS-45336
Fixed issues that prevented obtaining key and trust store PINs with the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers.
Updated the server to create the esTokenizer.ping
file if it does not exist
Fixed DS-45449 PingDirectory
Updated the server to create the esTokenizer.ping
file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.
Password policies using virtual attributes are now correctly applied
Fixed DS-45466 PingDirectory
Fixed an issue where password policies specified using a virtual attribute were sometimes not correctly applied to users.
Improved string representations of active operations and persistent searches
Fixed DS-45485 PingDirectory, PingDirectoryProxy
Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the UnboundID LDAP SDK for Java.
The encode-password
tool now works with AES256 password storage
Fixed DS-45546 PingDirectory
Fixed an issue that caused the encode-password
tool to fail when the AES256 password storage scheme is enabled.
Support added for synchronizing custom attributes defined in PingOne destinations
Fixed DS-36184, DS-45125 PingDataSync
Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.
Set a consistent priority index when adding two PingDataSync servers into a new failover topology
Fixed DS-45123 PingDataSync
Updated the manage-topology add-server
command to set a consistent priority index when adding two PingDataSync servers into a new failover topology. The server listed as the remote server in the command-line arguments is given the higher priority index, which results in an overall lower priority compared to the other server.
Updated the sanitize-log
tool
Fixed DS-16236 PingDirectory
Updated the sanitize-log
tool to better align with the server’s support for sanitizing log messages as they are logged. Changes include:
-
It is preconfigured with default behaviors for an expanded set of log fields.
-
It can be configured to suppress the default log field behavior configuration and only explicitly specified configuration.
-
It offers support for additional sanitization options, including omitting fields and differentiating between values should be redacted or tokenized in their entirety or by components.
-
It now uses syntax-aware redaction and tokenization.
-
It offers support for specifying a default behavior to use on a per-syntax basis.
-
It can obtain its settings from a log field behavior definition in the server configuration.
Improved assured replication result codes for conflicts
Improved DS-42302 PingDirectory
Added support for improved assured replication result codes when replication conflicts occur. For processed
assured levels, for each replica that has a replication conflict resulting in an alternate distinguished name (DN) being updated, a CONFLICT
result will be returned. If any such conflicts are detected, a result code of 68 (ENTRY_ALREADY_EXISTS) will be returned.
Fixed password policy state extended operation
Fixed DS-44667 PingDirectory
Fixed an issue in which the password policy state extended operation could be used to create duplicate authentication failure time or grace login use time values.
Added a new Docker command-line tool
Improved DS-45147 PingDirectory, PingDataSync, PingDirectoryProxy
Added a docker-pre-start-config
command-line tool for PingData Docker containers. Use the tool before the server is started to make configuration changes to the server that depend on the running container’s environment.
Added a new argument for manage-profile generate-profile
Improved DS-45163
Added a --excludeSetupArguments
argument for the manage-profile generate-profile
command. Added a --skipValidation
argument for the manage-profile
replace-profile
command. This argument allows skipping the final server validation step when running on an offline server and allows generating a server profile that does not include a setup-arguments.txt file. Updated the setup and replace-profile
subcommands to fail when a server profile includes an encryption-settings-db
file in the profile’s <server-root>/pre-setup/
directory.
Fixed an issue with server privileges
Fixed DS-45250
Directory Server privileges that are assigned through virtual attributes now apply consistently when accessing topology-related features through the administrative console.
Improved protections around the dw-pwp-modifiable-state-json
operational attribute
Improved DS-45255, DS-45504, DS-45505 PingDirectory
Updated the server to protect against attempts to modify the ds-pwp-modifiable-state-json
operational attribute without the Modifiable Password Policy State plugin enabled. The plugin is disabled by default, and the server would previously allow writes to that attribute with the plugin disabled, but those writes would just pollute the entry and have no effect on its password policy state. The server now only allows updates to ds-pwp-modifiable-state-json
if the Modifiable Password Policy State plugin is enabled. Similarly, the server also rejects attempts to add entries that contain the ds-pwp-modifiable-state-json
operational attribute, even with the Modifiable Password Policy State plugin disabled. Writes to this attribute are only supported for modify
operations, and the server would properly reject add
attempts targeting that attribute if the plugin had been enabled but would not reject those attempts if the plugin were disabled.
The server now also prohibits administrators from using the ds-pwp-modifiable-state-json
operational attribute to update their own password policy state, and it prohibits attempts to update ds-pwp-modifiable-state-json
operational attribute in an another user’s entry in the same modify
request that also resets that user’s password. The former restriction prevents certain kinds of changes that could allow an administrator to exempt themselves from certain password policy restrictions while the latter protects against potential conflicts that could arise from two modifications in the same request that attempt to alter a user’s password policy state.
Fixed a backwards compatibility issue with the migrate-ldap-schema
tool
Fixed DS-45322 PingDirectory
A former version of the tool allowed the --useSSL
argument to indicate that SSL should be used to secure communication with both servers, whereas a newer version did not allow that argument but instead required both --sourceUseSSL
and --targetUseSSL
. Similarly, support for the --useStartTLS
argument was inadvertently dropped, requiring both --sourceUseStartTLS
and --targetUseStartTLS
. The legacy arguments have been restored.
Removed two password policies for non-password users
Fixed DS-45439, SF:00741269# PingDirectory
Minimum and maximum age password policies are no longer applied for users without a password.
Updated Kafka version
Security DS-45462
Updated PingDirectory products to use Kafka 2.8.1, which resolves.
Fixed incorrect index skipping
Fixed DS-45470 PingDirectory
Fixed an issue in which the server could incorrectly skip certain indexes when evaluating search criteria. In cases where the server can determine where the results from one index should already be encompassed by results from another index that is already in use for the search, it ignores the redundant index. However, there were cases in which an index would be ignored even if the already-in-use index was not actually suitable for that search (for example, because its index entry limit had been exceeded).
Updated the topology registry and the replace-certificate
tool
Improved DS-45480, DS-45636
Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server’s certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry.
Made the following updates to the replace-certificate
tool:
-
Added new
list-topology-registry-listener-certificates
andlist-topology-registry-inter-server-certificates
subcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry. -
Added a new
add-topology-registry-listener-certificate
subcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it can be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server. -
Updated the
replace-certificate replace-listener-certificate
subcommand to add--topology-registry-update-type
and--trust-store-update-type
arguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options suppressing the update, only adding the listener certificate itself, only adding the listener certificate’s issuers, or adding both the listener certificate and its issuers. -
Updated the
replace-certificate replace-listener-certificate
subcommand to add an--ignore-current-listener-certificate-validity-window
argument that allows the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced.
Fixed an access log reporting issue
Fixed DS-45487 PingDirectory
Fixed an issue where access logs incorrectly reported negative processing times for certain operations.
Added support for JSON-formatted request and response controls
Improved DS-45494 PingDirectory, PingDirectoryProxy
Most existing controls have been updated to support an alternative JSON encoding, which might make it easier to use certain controls in clients written with APIs that do not provide direct support for those controls.
Updated the server Bouncy Castle cryptographic library versions
Security DS-45503
Updated the server to use the latest versions of the FIPS 140-2-compliant and non-FIPS-compliant Bouncy Castle cryptographic libraries.
Added support for generic strings in access and error log messages
Improved DS-45541, DS-45542
Updated the text-formatted and JSON-formatted access and error loggers to provide an option to use generic versions of strings in log messages. If enabled, error messages, additional log info messages, disconnect reasons, and authentication failure reasons will use a string with placeholders instead of context-specific values that could potentially include identifiable or sensitive information.
Updated the local DB backend to disable the index cursor entry limit by default
Improved DS-45564 PingDirectory
This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes.
In the unlikely event that this limit is actually needed in a directory environment, it can still be activated by setting the com.unboundid.directory.server.backends.jeb.AttributeIndex.cursorEntryLimit
system property to the desired value.
Fixed gauge alarm issues
Fixed DS-45578 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed issues where gauges could raise an alarm and create an alert, but not create an alert when that same alarm was later cleared, making it unclear when the reported condition had abated.
Fixed server lockdown issue in newly initialized databases
Fixed DS-45582 PingDirectory
Fixed an issue where a server with a newly initialized database (through dsreplication initialize
) could go into lockdown mode and report that the server …may have missed one or more update(s).
if the source server is in the pre-external-initialize state. This generally occurred only if the initialized server was restarted right after initialization completed.
Updated the export-reversible-passwords
tool
Fixed DS-45600 PingDirectory
Updated the export-reversible-passwords
tool to fix a potential issue in which the tool could encounter a timeout while waiting for the response from the server. Updated the export reversible passwords extended operation handler to provide support for canceling an export that is in progress. If the export-reversible-passwords tool is terminated, or if the associated extended operation is abandoned or canceled, then the export process now stops processing. Previously, it ignored the cancel request and continued processing the export until all entries in the backend had been examined.
Fixed a server operation rejection issue
Fixed DS-45767 PingDirectory
Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It continues to reject the operation if the disallowed control has a criticality of true
, but if the criticality is false
, the server continues processing the operation as if that control had not been requested.
Fixed a replication protocol message issue
Fixed DS-45714, SF:00753519# PingDirectory
Fixed an issue that allowed replication protocol messages to be dropped.
Updated to LDAP SDK version 6.0.5
Fixed DS-45746 PingDirectory
Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality.
Fixed a server issue causing internal errors during monitoring
Fixed DS-45786 PingDirectory
Fixed a PingDirectory server issue that could cause an internal error to be logged while monitoring database statistics for read-only backends.
Fixed a Directory REST API error with mismatched time syntax attribute values
Fixed DS-45788 PingDirectory
Fixed an issue where the Directory REST API returns an HTTP 500 error response when trying to retrieve a System for Cross-domain Identity Management (SCIM) entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ
.
Fixed Proxy server manage-profile replace-profile
errors
Fixed DS-45798 PingDirectoryProxy
In PingDirectoryProxy Server, manage-profile replace-profile
sometimes failed with an error similar to the following:
The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other) ...
This fix ensures that the configuration is loaded prior to the merge that the error message refers to.
Updated the commons-codec library
Security DS-45898
Updated the commons-codec library to version 1.13.
Delegated Admin 4.10 (June 2022)
Accounts can be directly unlocked
New Delegated Admin
Managing accounts includes the ability to unlock accounts. Previously, the only way to unlock an account was for an administrator to reset the password. Now, Delegated Admin users can directly unlock an account without resetting the password.
The initiate password reset option does not unlock accounts. |
Assign custom names for Members and Nonmembers columns
New Delegated Admin
Managing group membership is a common administrative user task. Resource types can now have custom names assigned for Members and Nonmembers columns. This option is available for the Groups, Users and Generic REST resource types.
Implicit
grant type is no longer recommended
New Delegated Admin
Currently, we are using the Implicit
grant type. However, the Implicit
grant type is no longer recommended for use because it can leak the access tokens. For more information, see https://oauth.net/2/grant-types/implicit/. For new installations of Delegated Admin, the grant type is set to Authorization Code with PKCE.
Upload and display image files and certificates
New Delegated Admin
Customers using Delegated Admin can now upload and display image files and upload certificates for properly configured resource types. Certificates are encoded before being stored.
Name of uploaded file is not displayed
Issue DS-45739 Delegated Admin
When uploading certificates or photos to REST resource types in Delegated Admin, the name of the uploaded file is not displayed. If multiple certificates are uploaded for a user, a number will be assigned based on the order the certificates were uploaded in.
Fixed input validation issue
Fixed DS-45760 Delegated Admin
Fixed a form input validation issue for required integer attributes on a resource type that was preventing users from saving new resources.
Non-members are no longer displayed initially for group’s resource types
Fixed DS-45483 Delegated Admin
Non-members of a group are no longer displayed initially on the edit group membership view for the group resource types.
PingDirectory suite of products 9.0.0.6 (August 2023)
Fixed an issue where the server rejected certain operations
Fixed DS-45767 PingDirectory
Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It will continue to reject the operation if the disallowed control has a criticality of true, but if the criticality is false, the server will continue processing the operation as if that control had not been requested.
Fixed a security issue
Security DS-47632 PingDirectory
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory Server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.
PingDirectory suite of products 9.0.0.5 (April 2023)
PingDirectory suite of products 9.0.0.4 (January 2023)
Fixed an issue preventing the server from refreshing monitor data
Fixed DS-41468
Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced.
Fixed an issue with the dsreplication
tool
Fixed DS-45044 PingDirectory
Fixed an issue with the dsreplication tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.
Fixed an issue with the encode-password
tool
Fixed DS-45546 PingDirectory
Fixed an issue that caused the encode-password tool to fail when the AES256 password storage scheme is enabled.
Fixed an issue with resource limits
Fixed DS-45638 PingDirectory
Fixed an issue where resource limits for the topology admin user created during replication enable were not set.
Fixed an issue causing configurations not to load correctly
Fixed DS-45798 PingDirectoryProxy
In the PingDirectoryProxy server, "manage-profile replace-profile" sometimes failed with an error similar to the following: The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other) …
This fix ensures that the configuration is loaded prior to the merge that the error message refers to.
Fixed an issue causing replication enablement to fail
Fixed DS-45960 PingDirectory
Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.
Fixed an issue with changes to Password Policy State attributes
Fixed DS-46121 PingDataSync
Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.
Fixed an issue preventing users from changing their passwords
Fixed DS-46392 PingDirectory, PingDirectoryProxy
Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the PingDirectoryProxy server.
The maximum-attributes-per-add-request
and maximum-modifications-per-modify-request
properties are now exposed in the global configuration
Improved DS-46129 PingDirectoryProxy
Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request
and maximum-modifications-per-modify-request
properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.
PingDirectory suite of products 9.0.0.2 (July 2022)
Updated the server to create the esTokenizer.ping
file if it does not exist
Fixed DS-45449 PingDirectory
Updated the server to create the esTokenizer.ping
file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.
Updated the active operations monitor provider
Improved DS-45485 PingDirectory, PingDirectoryProxy
Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the LDAP SDK for Java.
Fixed a Directory REST API error with mismatched time syntax attribute values
Fixed DS-45788 PingDirectory
Fixed an issue where the Directory Rest API returns an HTTP 500 error response when trying to retrieve a SCIM entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ
.
Fixed a SCIM POST request error response issue
Fixed DS-45863 PingDirectory
Resolved an issue where SCIM POST requests that violated a unique attribute constraint received an error response with status 400 (Bad Request) instead of 409 (Conflict).
Fixed a performance issue with large numbers of virtual static groups
Fixed DS-46017 PingDirectory
Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.
PingDirectory suite of products 9.0.0.1 (March 2022)
Issue with syncing multi-valued JSON attributes to a PingOne destination
Issue PingDataSync
For multi-valued JSON attributes, you should not use JSON attribute mappings when synchronizing data to a PingOne destination. When synchronizing JSON data, you can use a direct attribute mapping if the data at the source server is JSON. If the data at the source server should be assembled into JSON form, you can define a constructed attribute mapping.
Added support for synchronizing data to custom attributes defined in PingOne destinations
Improved DS-36184, DS-45125 PingDataSync
Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.
When defining attribute mappings for a PingOne destination, you can use direct attribute mappings for string to string or JSON to JSON synchronizations. If a string attribute at the source server should be stored as JSON in the PingOne environment, you should define a constructed attribute mapping in PingDataSync.
PingDirectory suite of products 9.0.0.0 (December 2021)
New entry-balancing options
Improved PingDirectory
Entry-balancing is a PingDirectoryProxy Server configuration that allows the entries within a portion of the directory information tree (DIT) to reside on multiple external servers. The entry counter, hash distinguished name (DN) and round-robin placement algorithms can now be configured to exclude backend sets for add
operations allowing for greater control over the use of multiple servers for entry balancing.
You can interact with entries within the data store including LDAP and several REST APIs
Improved PingDirectory
PingDirectory provides a number of interfaces for interacting with entries within the data store including LDAP and several REST APIs. In this release, the Directory REST API can now return any tagging options that are defined for an attribute. These tagging options are treated as subtypes of the same attribute while not explicitly declared in the schema.
CyberArk Conjur and Azure Key Vaults support added
Improved PingDirectory
In an earlier release, PingDirectory added support for a passphrase provider API to secure administrative passphrases, pins or passwords. This release adds both CyberArk Conjur and Azure Key Vaults to the list of available passphrase and cipher stream providers. Cipher stream providers are used to protect the keys stored in the encryption settings database
OAuth tokens ca be used with the File Servlet
Improved PingDirectory
Because administrators now have the ability to single sign-on (SSO) to the PingDirectory administrative console, the File Servlet used to download files from a server instance can now also use OAuth tokens for authentication along with the basic HTTP authentication method, such as username and password.
Apply your own branding to console elements.
Fixed PingDirectory, PingDirectoryProxy, PingDataSync
The administrative console is one tool you can use to configure and manage PingDirectory servers. In this release, you can now apply your own branding to console elements such as background colors, images and logos, and certain text elements. Sign on, sign out, and configuration pages are included in possible configuration areas. For more information, see the README.txt
file in the console .war
file shipped with PingDirectory.
New --performLocalCleanup
option added to the remove-defunct-server
command
Improved PingDirectory
To improve the defunct server topology cleanup process when your topology is unhealthy, such as during a network outage or disaster recovery, a new option to the remove-defunct-server
command cleans up stale replication metadata before the server is added back into the topology. This new argument, --performLocalCleanup
, allows administrators to easily take a server out of a topology for maintenance or troubleshooting and return the server back to the topology later. For more information on remove-defunct-server
and its options, run bin/remove-defunct-server --help
.
Added support for a pluggable pass-through authentication plugin
Improved PingDirectory
Earlier PingDirectory Server versions support pass-through authentication to remote LDAP servers or to PingOne, which can be useful when migrating data into the Directory Server from another service, or when the Directory Server needs to coexist with another service that is an authoritative source for user passwords. This release adds support for a pluggable pass-through authentication plugin, which makes it possible to pass through simple bind requests to an arbitrary external service using a pass-through authentication handler to manage interaction with that service, and the Server SDK has been updated to allow creating custom pass-through authentication handlers. As with existing pass-through authentication support, this functionality is only available for LDAP simple binds, and it does not support SASL authentication. For more information on this plugin, see Working with pass-through authentication
Added new options to the dsreplication
command to make replication faster
Improved PingDirectory
In multi-server deployments, replication is used to maintain consistency of data and schema between the servers. With larger deployments, attempting to initialize replication for multiple servers can take longer. New options to the dsreplication
command can now speed up this process by initializing replication on multiple servers in parallel. The number of servers can either be the entire set of servers in the deployment, or a subset of servers based on location, or instance name or a specific number. For more information on dsreplication
subcommands, see Summary of the dsreplication Subcommands.
Added a new password storage scheme to provide enhanced security
Improved PingDirectory
Typically, the passwords for administrative users have been stored directly in PingDirectory based on the configured password storage scheme. To provide enhanced security for those administrative accounts that need it, a new password storage scheme has been added that allows for the password to be stored in an external vault. Currently, Amazon AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault are supported.
The config-audit
logs now tracks the originating account information when individual changes are made
Improved PingDirectory
To better manage the configuration of multiple servers in large topologies, PingDirectory uses the config-audit
log file to allow administrators to easily determine, replay or undo configuration changes made to servers. Previously, when modifying topology or cluster configuration, the original requesting account information was not logged. Now, to assist administrators and improve server auditing, the config-audit
logs will track the originating account information that made individual changes. For circumstances where more protection is required, there is a new property that will redact any sensitive attributes that might be written to the log file (instead of the default obfuscation behavior). This includes instances where administrative users change their passwords and affects any other condition where the sensitive attribute might be displayed for informational purposes such as alerts.
PingDataSync can now include Active Directory account state information
Improved PingDataSync
Many customers use PingDataSync Server to either migrate from Active Directory or use Active Directory in conjunction with PingDirectory to manage user accounts. Administrators can now configure PingDataSync to include account state information set in Active Directory specifically lockout time, the last time the password was set and whether or not the account is disabled. This information can now be properly set within PingDirectory based on the information set in the account in Active Directory.
Entry balancing and global index
Issue PingDirectoryProxy
If the DirectoryProxy Server is configured to use entry balancing and cannot use the global index to determine which backend sets should be used to process an operation, it broadcasts the request to all backend sets, and it will examine the results obtained from each of the backend sets to determine which is the best one to return to the client.
In previous releases, the server always preferred a success result over a non-success result, but if the operation failed in all backend sets, then the DirectoryProxy Server could have selected a result from a backend server in which the target entry didn’t exist (for example, with a noSuchObject
result code) rather than from one in which the entry did exist but the operation failed for some other reason. The 9.0.0.0-EA release addresses this by examining the result codes for all broadcast operations and prioritizing failure results indicating that the target entry exists in the associated backend set over those that do not.
There are still known cases, however, in which the DirectoryProxy Server might select a less appropriate result to return to the client. For example, if a bind
operation fails, the backend server is likely to return an invalidCredentials
result regardless of whether the target user entry exists in that backend set. If the bind
attempt fails in one backend set because the target user exists but their account is in a state that doesn’t allow it to authenticate (for example, if their password is expired or their account is locked), then the bind
response from that server might include response controls that would be useful to return to the client, but the 9.0.0.0-EA release might not choose that response as the one to return to the client. This will be addressed in the 9.0.0.0 GA release later this year.
Fixed an issue where secret keys under cn=Topology
,cn=config
could be lost when removing a server from the topology
Fixed PingDirectory, PingDataSync
When a server is removed with the dsreplication
disable
or remove-defunct-server
tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.
Fixed lost access to keys used for reversible password encryption when removing servers from the topology
Fixed DS-44591 PingDirectory
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Because this change only applies to the most recent version of |
Fixed Directory REST API
Fixed DS-37117 PingDirectory
Fixed an issue where the Directory REST API encountered internal server errors while processing entries whose attributes have LDAP tagging options.
Added LDAP pass-through authentication handler
Fixed DS-38498, DS-38621 PingDirectory
An LDAP pass-through authentication handler has also been provided, which allows the new plugin to be used as an alternative to the existing LDAP-specific pass-through authentication plugin. The new implementation provides additional functionality not available in the previous plugin, including the ability to indicate whether pass-through authentication should be allowed for accounts that are locked or have expired passwords and the ability to set timeouts that will be used when interacting with external LDAP servers. It also has improved default settings and offers better diagnostic information about its processing.
Added authentication support for passwords stored in several services
Fixed DS-40671 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added support for password storage schemes that allow users to authenticate with passwords stored in the Amazon AWS Secrets Manager service, the Microsoft Azure Key Vault service, a CyberArk Conjur instance, or a HashiCorp Vault instance.
The dsreplication initialize-all
command now initializes multiple target servers in parallel when the --parallel
option is used
Fixed DS-40796 PingDirectory
To enhance initialization performance, the dsreplication
initialize-all
command now initializes multiple target servers in parallel when the --parallel
option is used (subject to the --parallelLimit
option). The --sameLocationOnly
and --destinationInstanceName
options can be used to limit the destinations that are initialized.
Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig
representation for a configuration change
Fixed DS-40926 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig
representation for a configuration change, which could be included in the server’s configuration audit log or administrative alerts whenever a configuration change is applied. By default, the values of configuration properties that are defined as sensitive will be obscured rather than redacted, which allows the change to be replayed without revealing the actual value of the property. However, it is now possible to redact such values rather than obscuring them, which provides stronger protection against exposing those values, but could interfere with the ability to replay the configuration audit log if it contains changes involving sensitive properties.
Added sorting to the Name and Category columns of the monitor table
Fixed DS-42752 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added sorting functionality to the Name and Category columns of the monitor table in the administrative console.
Added replica-partial-backlog
attribute to replication summary monitor
Fixed DS-42961 PingDirectory
To help with replication backlog analysis, the replication summary monitor now includes a replica-partial-backlog
attribute that shows how each origin replica contributes partial backlog with the per-origin-replication-backlog
property. The replica-partial-backlog
attribute also shows the change numbers used for the calculation.
Updated the server to record the original requester distinguished name (DN) and IP address
Fixed DS-43056 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Updated the server to record the original requester distinguished name (DN) and IP address in access log and config audit log messages for mirrored configuration changes.
Fixed issues related to server handing of controls in search requests
Fixed DS-43582 PingDirectory, PingDirectoryProxy
Fixed a couple of issues in which the server might not properly handle other controls included in a search request containing a join request control. For search operations passing through the Directory Proxy Server, other response controls could have been inadvertently stripped from search result entries when adding the join result control. Further, if a search request included a join request control in conjunction with one or more other controls, the request control immediately following the join request control might not have been properly handled.
Added support for obtaining secrets from CyberArk Conjur
Fixed DS-43917 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
The Conjur cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Conjur passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service. The server can authenticate to Conjur using a username and a password or an API key.
Added support for obtaining secrets from Azure Key Vault
Fixed DS-43918 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSYnc
The Azure Key Vault cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Azure Key Vault passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service.
New global configuration properties to impose limits on the maximum number of attributes that can be present in an add request and the maximum number of modifications in a modify request
Fixed DS-43959, DS-44924 PingDirectory
These can be used to avoid potential denial of service attacks. Both limits are set to 1000 by default, which is likely to be adequate for all legitimate use cases, and neither property affects the number of values that can be provided for an attribute.
Fixed proxied authorization issue
Fixed DS-44081 PingDirectory
Addressed an issue where proxied authorization would fail in rare cases for usernames with 57 or 58 characters and DNs with 108 or 109 characters.
Fixed manage-profile replace-profile
keystore files issue
Fixed DS-44280, DS-45027, DS-45037 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where manage-profile
replace-profile
did not correctly handle keystore files with a .bcfks
extension while in FIPS-140-2-compliant mode.
Fixed View API Commands issue
Fixed DS-44329 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Resolved an issue where the View API Commands link appeared to be disabled in the administrative console.
Fixed silent replication failure
Fixed DS-44454 PingDirectory
Fixed an issue where non-DN modifications associated with a moddn
change would silently fail to replicate.
Added new --performLocalCleanup
argument to remove-defunct-server
Fixed DS-44495 PingDirectory
Added a new argument, --performLocalCleanup
, to remove-defunct-server
that simplifies the replication artifact cleanup process. To clean up replication artifacts on earlier releases of the Directory Server, run remove-defunct-server
with no bind arguments while the server is offline.
Added a PKCS #11 cipher stream provider
Fixed DS-44519 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added a PKCS #11 cipher stream provider that can require access to a certificate in a PKCS #11 token to unlock the server’s encryption settings database. Only certificates with RSA key pairs can be used because Java virtual machines (JVMs) do not currently provide adequate key wrapping support for elliptic curve key pairs.
Server instances can now be safely mirrored to older servers in mixed-version topologies
Fixed DS-44577 PingDirectory
Server instances, which are within a mirrored subtree, can now be safely mirrored to older servers in mixed version topologies. This is done by adding the following to server instances: objectclass: extensibleObject.
Fixed an issue where secret keys under cn=Topology
,cn=config
could be lost when removing a server from the topology
Fixed DS-44591 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
When a server is removed with the dsreplication disable
or remove-defunct-server
tools, its secret keys are now distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Because this change only applies to the most recent version of |
Added PingData Administrative Console configuration capability
Fixed DS-44595 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
The PingData Administrative Console can now be configured to supply PINs to its trust stores through the oidc-trust-store-pin-passphrase-provider
and trust-store-pin-passphrase-provider
settings. This means trust store types that require passphrases (ex: PKCS12 or BCFKS) are now properly supported.
The PingData Administrative Console can now retrieve files created from collect-support-data
or server-profile
tasks
Fixed DS-44601 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
The PingData Administrative Console can now retrieve files created from collect-support-data
or server-profile
tasks when using single sign-on (SSO) to authenticate with the managed server.
Updated the file servlet
Fixed DS-44602 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Updated the file servlet to add support for token-based authentication using an OAuth 2.0 access token or an OpenID Connect ID token. The servlet previously only supported basic authentication.
Improved includePath
argument validation performed by the manage-profile generate-profile
tool
Fixed DS-44604 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
The tool will only use relative paths that exist below the server root, and it previously silently ignored absolute paths or relative paths that referenced files outside of the server root. It will now exit with an error if the includePath
argument is used to provide an absolute path or a path outside the server root. It will accept but warn about paths that reference files that do not exist.
Fixed an issue that caused an internal root account to be subject to the server’s default password policy
Fixed DS-44623 PingDirectory, PingDirectoryProxy
Fixed an issue that caused an internal root account (used for processing certain types of internal operations) to be subject to the server’s default password policy. With some password policy configurations, if a DirectoryProxy Server attempted to perform an internal operation that targeted data in a backend Directory Server, that operation could have been incorrectly rejected.
Fixed symmetric keys issue
Fixed DS-44648 PingDirectory
Addressed an issue where symmetric keys were not being sanitized in the config-audit.log
.
Updated the export-ldif
tool
Fixed DS-44669 PingDirectory
Updated the export-ldif
tool to always base64 encode values with any ASCII control characters. The LDIF specification in RFC 2849 only requires base64 encoding for the NUL, LF, and CR control characters, and those are the only control characters that were previously base64 encoded. However, the specification also permits base64 encoding for any type of character, and always base64 encoding all control characters is safer and reduces the chance for errors when working with values containing such characters.
Made several improvements to the ldap-diff
tool
Fixed DS-44757 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
-
Added the ability to perform a byte-for-byte comparison of attribute values rather than using schema-based logical equivalence.
-
Added the ability to use a properties file to obtain default values for command-line arguments.
-
Improved the ability to use different TLS-related settings for the source and target servers.
-
Improved support for SASL authentication.
Updated the migrate-ldap-schema
tool
Fixed DS-44758 PingDirectory
Updated the migrate-ldap-schema
tool to provide more flexibility for TLS negotiation, support for SASL authentication, support for using a properties file, and better validation for migrated attribute type and object class definitions.
Fixed q remove-defunct-server
issue
Fixed DS-44793 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Fixed an issue in which remove-defunct-server
would remove attributes from config.ldif
if they were identical apart from case.
Improved performance for modify operations
Fixed DS-44884 PingDirectory
Improved performance for modify operations that need to insert an entry ID into the middle of a very large composite index ID set.
Addressed a connection error in remove-defunct-server
Fixed DS-44892 PingDirectory
Addressed a connection error in remove-defunct-server
when the tool tried to migrate secret keys on a single-instance topology (i.e., a server that is not part of a replication topology). The tool now only moves secret keys if the server is part of a topology.
Fixed an error when backing up an encrypted backend
Fixed DS-44904 PingDirectory
Fixed a race condition that could sporadically cause an error when backing up an encrypted backend.
Addressed an issue where simple binds on entries
Fixed DS-44931 PingDirectory
Addressed an issue where simple binds on entries without passwords would not update the relevant password policy attributes, such as ds-pwp-auth-failure
.
Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites
Fixed DS-44940 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites that will be used for outbound connections, as well as properties for controlling whether to enable TLS cipher suites that rely on the SHA-1 digest algorithm or the RSA key exchange algorithm.
Fixed an issue in which the server might not use appropriate resource limit values
Fixed DS-44942 PingDirectory, PingDirectoryProxy
Fixed an issue in which the server might not use appropriate resource limit values for accounts that bind with pass-through authentication. In such cases, the server might apply size limit, time limit, idle time limit, and other constraints from the global configuration instead of alternative values for those limits set in the user entry.
Fixed server hang issues
Fixed DS-45032 PingDirectory
-
Addressed an issue that caused
remove-defunct-server
to hang. -
Addressed an issue that caused
remove-defunct-server
to hang when performing replication artifact cleanup in non-interactive mode.
For the initilaze-all
dsreplication
subcommand avoid closing connections to remote servers multiple times
Fixed DS-45038 PingDirectory
For the initilaze-all
dsreplication
subcommand avoid closing connections to remote servers multiple times in order to apply the new generation ID.
Added support for Eclipse Foundation JDKs
Fixed DS-45039 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added support for the use of Java Development Kits (JDKs) obtained through Eclipse Foundation.
Fixed an issue where explicit createTimestamp
values are replicated to peer servers
Fixed DS-45056 PingDirectory
Fixed an issue where explicit createTimestamp
values are replicated to peer servers using a default timestamp format rather than the non-default format value stored on the first server.
Updated the mirror virtual attribute provider to include an option to bypass access control evaluation for the internal searches that it performs
Fixed DS-45060 PingDirectory
This might allow the virtual attribute to provide values from another entry even if the requester would not otherwise have permission to access those values.
Fixed a Ping Directory Server performance issue involving high CPU usage
Fixed DS-45115 PingDirectory
Fixed a Ping Directory Server performance issue involving high CPU usage when writing LDAP data to certain clients using TLSv1.3 connection security.
Removed -XX:RefDiscoveryPolicy=1
from the default start-server
Java arguments
Fixed DS-45124 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
In rare cases, this argument was related to segmentation faults in the JVM, especially when used with the G1 garbage collector.
Fixed a composed attribute plugin issue
Fixed DS-45153 PingDirectory
Fixed an issue that prevented the composed attribute plugin from working for operations that are part of a multi-update request.
Fixed an issue where a server with a newly initialized database could go into lockdown mode
Fixed DS-45154 PingDirectory
Fixed an issue where a server with a newly initialized database (through dsreplication initialize
) could go into lockdown mode and report that the server might have missed one or more updates. This generally occurred only if the initialized server was restarted right after initialization completed.
Changed default tab in the administrative console
Fixed DS-45160 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Changed the default tab in the administrative console to Modify when updating an existing server resource with new changes
Added support for new extended operations
Fixed DS-45162 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added support for new extended operations to help manage the server’s listener and inter-server certificates. Updated the replace-certificate
tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.
Added support for BellSoft JDKS
Fixed DS-45190 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added support for the use of JDKs obtained through BellSoft.
Improved performance of server encryption
Fixed DS-45203 PingDirectory
Resolved a performance issue that could cause servers installed using a server encryption option to spend several minutes waiting in the Initializing Crypto Manager
phase during server startup.
Added a scroll bar to the administrative console’s Server list
Fixed DS-45284 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added a scroll bar to the administrative console’s Server list to ensure all servers are accessible regardless of screen size.
Updated the entry counter, hash DN, and round robin placement algorithms
Fixed DS-44678 PingDirectoryProxy
Updated the entry counter, hash DN, and round robin placement algorithms to make it possible to exclude specified backend sets from consideration when adding new entries to an entry-balanced topology.
Improved server logic
Fixed DS-44798 PingDirectoryProxy
Improved the logic the server uses to select the best result to return to the client when an operation fails in an entry-balanced topology after the request was broadcast to all backend sets. In some cases, the server could have incorrectly returned a result from a backend set in which the target entry did not exist instead of a more appropriate result from the backend set that did contain the entry.
Fixed dashboard icon issue
Fixed DS-44224 PingDataMetrics
Addressed an issue where icons on the dashboards were not properly displayed.
Synchronize from Active Directory attribute lockoutTime
source systems to PingDirectory attribute pwdAccountLockedTime
Fixed DS-44513 PingDataSync
Because pwdAccountLockedTime
cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdAccountLockedTimeFromAD
to pwdAccountLockedTime
.
Added direct attribute mapping that maps from ds-pwp-account-disabled-from-ad
to ds-pwp-account-disabled
Fixed DS-44636 PingDataSync
Synchronize from Active Directory userAccountControl
bit indicating that the account is disabled (bit #2) (or msDS-UserAccountDisabled
on AD-LDS) to PingDirectory attribute ds-pwp-account-disable
. Because ds-pwp-account-disabled
cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from ds-pwp-account-disabled-from-ad
to ds-pwp-account-disabled
.
Added direct attribute mapping that maps from pwdChangedTimeFromAD
to pwdChangedTime
Fixed DS-44660 PingDataSync
Synchronize from Active Directory attribute pwdLastSet
with the password changed time to PingDirectory attribute pwdChangedTime
. Because pwdChangedTime
can not be written to directly an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdChangedTimeFromAD
to pwdChangedTime
.
Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes
Fixed DS-44922 PingDataSync
Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes with the same base name but with different option tags, and any of these attributes having more values in the source entry than the replace-all-attr-values-limit
for the Sync
class.
Delegated Admin 4.9 (March 2022)
Managing accounts now includes the ability to unlock accounts
Improved Delegated Admin
Previously, the only way to unlock an account was for an administrator to reset the password. Now, delegated administrative users can directly unlock an account without resetting the password. For more information, see Unlocking user accounts.
The initiate password reset option does not unlock accounts. |
Resource types can now have custom names assigned for Members and Nonmembers columns
Improved Delegated Admin
This option is available for the Groups, Users, and Generic rest resource types.
For more information, see delegated_admin_application_guide:pd_da_manage_groups.adoc#section_vk5_yll_xsb.
The grant type is now set to Authorization Code with PKCE
Improved Delegated Admin
Earlier versions of Delegated Admin have used the Implicit grant type as the default OpenID Connect (OIDC) grant type. Because the Implicit grant type can leak access tokens, it is no longer recommended for use. In new installations of Delegated Admin, the grant type is set to Authorization Code with PKCE. To change your default OIDC grant type to Authorization Code with PKCE in existing installations of Delegated Admin, see Changing the default OIDC grant type.
For more information on the Implicit grant type, see OAuth 2.0 Implicit Grant.
dadmin-account-locked
is not available for filtering
Issue Delegated Admin
Because the account locked state, dadmin-account-locked
, is not a true attribute, it is not available for filtering in reporting.
No resources displayed for a correlated resource type
Issue Delegated Admin
If a resource is linked to more correlated resources than the correlated resource type’s search limit, then no resources will be displayed for that correlated resource type. To view the resources for that correlated resource type, increase the correlated resource type’s search limit.
Fixed error message issue
Fixed DS-40723 Delegated Admin
Fixed an issue where an error message was not displayed when password generation was unsuccessful.
Fixed multi-valued attribute deletion error
Fixed DS-45075 Delegated Admin
Fixed an issue that prevented the first value in a multi-valued attribute from being deleted.
Updated the warning banner for configuration errors
Fixed DS-45079 Delegated Admin
Updated the warning banner for configuration errors to only display for the first 10 seconds after signing in to Delegated Admin.