Release Notes

New DS-47373 PingDirectory

Added the check-replication-domains tool, which you can run to check the current list of known replication domains in changelogDb and find any obsolete domains present. The tool defaults to the server’s root directory. Learn more about Discovering obsolete replicas.

Improved DS-47144 PingDirectory, PingDirectoryProxy, PingDataSync

Improved various timeouts for dsreplication enable and remove-defunct-server operations to enable them to scale with the size of the topology. Smaller-sized topologies shouldn’t be impacted by these changes.

Improved DS-46597 PingDirectory

Increased timeouts for mirrored subtree operations to provide better support for large or distributed topologies.

Improved DS-47083, DS-47084 PingDirectory

Improved the performance of dsreplication commands in topologies with a large number of PingDirectory servers or high network latency.

Improved DS-47104 PingDirectory

Improved the response time of the dsreplication command.

Improved DS-47831 PingDirectory

A copy of the setup script output is now saved to an archive file in the /history directory. This should help with troubleshooting installations where multiple server images have been extracted on top of each other and setup has been run multiple times.

Fixed DS-47455 PingDirectory, PingDirectoryProxy, PingDataSync, PingDataMetrics

Fixed an issue where a NullPointerException was thrown when an alert or alarm was raised and one or more of the alert handlers weren’t configured. This most commonly happened when the server was being stopped.

Now, instead of throwing a NullPointerException, the server logs this message: Alert notification '<notification>' will not be processed by alert handler '<alert_handler>' since that alert handler does not have configuration.

Fixed DS-48300 PingDirectory, PingDataSync

Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.

Fixed DS-47289 PingDirectory

Fixed a potential NullPointerException that the server could throw during replication if missing changes were found for a replica, but that replica didn’t exist on all servers. This scenario can happen when an obsolete replica is purged concurrent to the check for missing changes.

Fixed DS-47369 PingDirectory

Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.

Fixed DS-47695 PingDirectory

The generation ID, represented by ds-sync-generation-id, is a value used by replication to determine if replicas are compatible and can be replicated. To address the issue of multiple generation IDs for the same suffix, the generation ID is now calculated independent of the disk order in which the entries are stored. This new behavior is helpful when entries are imported on new servers instead of initializing them.

Fixed DS-47326 PingDirectory

Fixed an issue where running the dsreplication status --displayservertable command sometimes failed to display peer server statuses or generation IDs.

Fixed DS-47878 PingDirectory

Fixed a problem where dsreplication initialize suggested using the --force option if you were unable to connect to the server properly.

Fixed DS-46664 PingDirectory

Added caching logic to address a performance issue that occurred when adding new servers to large, replicated topologies spanning multiple geographic locations.

Fixed DS-45949 PingDirectory

Fixed an issue where aborting a transaction on a PingDirectory server could sometimes fail to release a write-lock, causing all subsequent transactions to fail with the error DATABASE_LOCK_CONFLICT until the server was restarted.

Fixed DS-48040 PingDirectoryProxy

Fixed an issue where PingDirectoryProxy wouldn’t accurately report the availability of backends added through automatic backend discovery.

Improved DS-45157 PingDirectory

We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.

Fixed DS-48205 PingDirectory

We fixed an issue where the Changelog Password Encryption plugin wouldn’t work properly in a replicated environment if you changed a password using a Password Modify extended operation. The password change is now propagated to all replicas.

New DS-45254, DS-47110, DS-47401 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added the configuration property insignificant-config-archive-base-dn to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under the specified base DN(s).

If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration will be added to the configuration archive, but that archived configuration file may be removed after the next configuration change.

By default, this property will apply to the topology registry subtree.

Improved DS-46902 PingDirectory

The dsreplication enable command can now add a new server to an existing topology with the same major and minor release version but a newer maintenance level.

Fixed DS-45527 PingDataSync

Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

Fixed DS-47585 PingDirectory

Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. Previously, the server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys (for example, when evaluating a range or substring filter component that could match a very large number of entries), the allowed time limit could be exceeded in that portion of the processing.

Fixed DS-47784 PingDirectory

Fixed an issue with running remove-defunct-server against servers configured with anAES256 password storage scheme where encryption settings were not initialized before initializing password policy components.

Security DS-47632 PingDirectory

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.

New DS-47166 PingDirectory

Critical: Added the property cache-duration to allow optional caching of key managers retrieved by a PKCS11 Key Manager Provider.

Fixed DS-46695 PingDataSync

Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile subcommand.

Fixed DS-46882 PingDirectory

Fixed an issue where attempting to change a password that’s within the minAge now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.

Improved DS-46906 PingDirectory

Improved the response time of the dsreplication enable command on large topologies with more than 20 servers.

Fixed DS-47103 PingDirectory

Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.

Fixed DS-47182 PingDirectory

Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.

New DS-38367, DS-38368, DS-38369 PingDirectory

For more information, see ACI bind rules and ACI targets.

New DS-42172 PingDirectory

Added a new "audit data security" recurring task that can be used to regularly examine server data for potential security-related issues. For more information, see Auditing data content.

New DS-44855 PingDataSync

Added new stats to track operations on account state when using an UnboundIDSyncDestination. They can be found on the monitor entry for the sync pipe associated with the destination.

New DS-45766 PingDirectory, PingDirectoryProxy, PingDataSync

The server can now run on Java 17.

New DS-45970

Updated Groovy support from Groovy 2.x to Groovy 3.x for Java 17 compatibility. This change might introduce some minor incompatibilities in Groovy script support (for example, it appears that import statements split across multiple lines are no longer allowed), so deployments making use of Groovy-scripted extensions should carefully test these extensions in a temporary standalone instance to verify compatibility and make any necessary changes before updating existing instance.

New DS-46108 PingDataSync

Added a SCIM 2.0 sync destination. For more information, see Configuring synchronization to a SCIM 2.0 server.

New DS-46018 PingDirectory

Added new password storage schemes that provide support for the Argon2i, Argon2d, and Argon2id variants of the Argon2 password hash and proof-of-work function. We previously offered only a single Argon2 password storage scheme (which used Argon2i behind the scenes), but the new schemes make it possible to explicitly indicate which variant should be used for encoding passwords.

For more information about password storage schemes, see Supported password storage schemes.

New DS-46593

Added an HTTP servlet extension that allows the values of numeric monitor attributes to be published as metrics in a form that can be consumed by a Prometheus monitoring server. For more information, see Monitoring server metrics with Prometheus.

Fixed DS-12140, DS-42173, DS-46123, DS-46124, DS-46125, DS-4782, DS-4783, DS-4784, DS-5130 PingDirectory

For more information about data security auditors, see Auditing data content.

Fixed DS-44442 PingDirectory

Removed support for incremental backups, which had been deprecated since the 8.3.0.0 release. As an alternative, we recommend using LDIF exports, which are more useful, more portable, and much more compressible than full backups, and they can be taken more frequently than full backups without consuming as much disk space. Further, the extract-data-recovery-log-changes tool can be used in conjunction with either LDIF exports or backups to replay changes recorded in the data recovery log since the time the export or backup was created.

Fixed DS-44966 PingDirectory

Fixed an issue where exploded indexes were unexpectedly created following an unclean shutdown.

Fixed DS-45044 PingDirectory

Fixed an issue with the dsreplication tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.

Fixed DS-45461 PingDirectory

To close a vulnerability found in hibernate-validator 5.4.3 in the management console, we are updating the console to version 6.2.1. This newer version requires use of jakarta-validator 2.0.2 rather than the older javax-validator 1.1.0, therefore we are upgrading directory to use jakarta-validator 2.0.2 to preserve compatibility.

When moving to version 2, javax-validator was moved to jakarta, but still uses the javax namespace, and therefore no code changes need to be made other than dependencies. In the future, if we move to jakarta-validator v3 however, we will need to move to the jakarta namespace.

Fixed DS-45567 PingDirectory

Fixed an issue where a replication initialize task that ran longer than the configured connection idle-timeout-limit would cause the initialize to fail.

Fixed DS-45638 PingDirectory

Fixed an issue where resource limits for the topology admin user created during replication enable were not set.

Fixed DS-45933

Updated jQuery to 3.6.0.

Fixed DS-45960 PingDirectory

Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.

Fixed DS-46017 PingDirectory

Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.

Fixed DS-46119 PingDataSync

Fixed an issue encountered when using PingDataSync with a PingOne Sync Destination that caused sync to slow down significantly after 5 minutes and generate extraneous requests to the sync destination.

Fixed DS-46121 PingDataSync

Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.

Fixed DS-46129 PingDirectoryProxy

Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request and maximum-modifications-per-modify-request properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.

Fixed DS-46169 PingDirectory

Modified the migrate-ldap-schema tool to remove incorrect single-quotes enclosing the attribute type syntax OID in schemas being imported from Microsoft Active Directory.

Fixed DS-46392 PingDirectory,PingDirectoryProxy

Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the Directory Proxy Server.

Fixed DS-46436 PingDirectory

Fixed an issue where new servers could not be enabled into a large topology.

Improved PingDirectory

The audit-data-security tool is used to identify potential risks or other notable security characteristics contained in directory data. This tool has been enhanced to use new data security auditors defined in the server configuration. The new data security auditors can identify:

Also, the locked account auditor is now able to identify validation-locked accounts, and the weakly encoded password auditor can now flag passwords encoded with SMD5, SHA, and SSHA, and also the MD5 variant of the CRYPT scheme.

For more information about the audit-data-security tool, see Auditing data content.

Improved PingDirectory

A number of features have been added to improve logging and the summarize-access-log tool to provide a better experience for administrators. The summarize-access-log tool already provided a list of the domain names of the target users for the most common bind failures, but the following metrics have been added to improve the detection of possible security issues:

For more information about the summarize-access-log tool, see Logging Tools

Improved PingDirectory

PingDirectory provides a number of features to manage control to data within the data store including Access Control Instructions and connection criteria. In this release, the access control handler now provides support for a bind rule that can make it possible to make access control decisions based on whether the client connection is secure or whether the client connection matches a given set of connection criteria or if a target that makes it possible to determine whether the rule applies to a given request based on request criteria.

Improved DS-38078 PingDirectory

Updated the global configuration to define configuration properties that can be used to set alternative size limit, time limit, idle time limit, and lookthrough limit values for unauthenticated clients. By default, the server will use the same default limits for both authenticated and unauthenticated clients, but you can now set limits for unauthenticated clients that are different from the default limits imposed for authenticated clients. It is still possible to override these limits on a per-user basis with operational attributes in the user’s entry.

Improved DS-38277

Added support for generating digital signatures with a key obtained from an encryption settings definition. By default, the server’s preferred encryption settings definition will be used to obtain the signing key, but you can use the signing-encryption-settings property in the crypto manager configuration to choose an alternative definition.

Previously, signatures were generated using a legacy key shared among servers in the topology, which could make it difficult to validate signatures outside of the topology. The legacy key will continue to be used in environments without any encryption settings definitions.

Improved DS-40345

Updated the server to add HTTP forward proxy support for several server components that may need to establish HTTP and HTTPS connections to external services. Updated components include:

Improved DS-41467 PingDirectory

The replication-purge-obsolete-replicas global configuration property is now set to true by default for new and upgraded PingDirectory servers so that obsolete replicas are purged.

Improved DS-45968

Updated the replace-certificate tool’s behavior when running in interactive mode. Previously, when it prompted the user for the path to a file containing one or more certificates to be imported, it would exit with an error if the provided path represented a file that did not contain valid certificate information. It will now re-prompt the user for the path to a valid file after displaying the error message.

Improved DS-46127 PingDirectory

Updated replication enable synopsis to mention that schema initialization is part of the enable process and explain that the order of provided servers is significant for the initialization.

Improved DS-46313

Updated the dsconfig tool to ensure that it uses the correct authentication type when applying changes to all servers in a server group. Previously, it would always attempt to use simple authentication, even if the connection to the initial server was authenticated using a different mechanism.

Improved DS-46332 PingDirectory

The replication server now continues to handle incoming replication connections even when there is an unexpected exception.

Improved DS-46615

Updated the Amazon AWS external server configuration to provide more control over the method used to authenticate to AWS. Previously, it was only possible to authenticate with an access key or an IAM role. We have added an option to use an IRSA role, and we have also added an option to use a default credentials provider chain that attempts to identify an appropriate authentication method for cases in which the server is running in the AWS environment (for example, EC2 or EKS) based on locally available information like system properties and environment variables.

Issue DS-46127 PingDirectory

There is a known issue with the description of the dsreplication enable subcommand differing based on the operating system. On MacOS, an updated description is shown:

"Update the configuration of the servers to replicate the data under the specified base DN(s). If one of the two servers is already part of an existing replication topology, then that server must be specified as the first server. This is because the schema of the second server will be updated to match the schema of the first. The configuration of all the servers in the existing topology will also be updated, so it is sufficient to perform this operation once for each new server that is added to the topology. The server-to-server replication communication is always secured with SSL."

But on some operating systems, including Windows and CentOS, the older description is shown that doesn’t mention the schema initialization.

New DS-45254, DS-47110, DS-47401 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added the configuration property insignificant-config-archive-base-dn to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under specified base DNs.

If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration gets added to the configuration archive, but that archived configuration file can be removed after the next configuration change.

By default, this property applies to the topology registry subtree.

Improved DS-45157 PingDirectory

We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.

Improved DS-46902 PingDirectory

The dsreplication enable command can now add a new server to an existing topology with the same major and minor release version but a newer maintenance level.

Improved DS-46906 PingDirectory

Improved the response time of the dsreplication enable command on large topologies with more than 20 servers.

Fixed DS-47369 PingDirectory

Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.

Fixed DS-47289 PingDirectory

Fixed a possible null pointer exception in replication where missing changes were found for a replica, but that replica didn’t exist on all servers. This could have occurred in scenarios where the replica was obsolete and purged concurrent to the check for missing changes.

Fixed DS-47784 PingDirectory

Fixed an issue with running remove-defunct-server against servers configured with an AES256 password storage scheme. In these cases, the encryption settings were not initialized before initializing the password policy components.

Fixed DS-47103 PingDirectory

Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.

Fixed DS-47182 PingDirectory

Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.

Fixed DS-46807 PingDirectory

Fixed an issue where dsreplication enable failed to add a server with a hotfix build to an existing topology with a previous build. The hotfix server would attempt to become topology master immediately, interrupting proper initialization.

Fixed DS-46983 PingDirectory

Fixed an issue where errors that occurred during a manage-profile replace-profile operation would only log Batch command failed entries.

Batched dsconfig commands that are executed during manage-profile replace-profile will now report a detailed cause for the failing command.

Fixed DS-47609 PingDataSync

Fixed an issue where the server would throw a null pointer exception and fail to synchronize during a realtime-sync operation.

Fixed DS-45527 PingDataSync

Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

Security DS-47632 PingDirectory

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory Server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.

Fixed DS-45638 PingDirectory

Fixed an issue where resource limits for the topology admin user created during replication enable were not set.

Fixed DS-46121 PingDataSync

Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.

Fixed DS-46695 PingDataSync

Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile subcommand.

Fixed DS-46882 PingDirectory

Fixed an issue where attempting to change a password that’s within the minAge now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.

Fixed DS-45044 PingDirectory

Fixed an issue with the dsreplication tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.

Fixed DS-45960 PingDirectory

Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.

Fixed DS-46017 PingDirectory

Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.

Fixed DS-46392 PingDirectory, PingDirectoryProxy

Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the Directory Proxy Server.

Improved DS-46129 PingDirectoryProxy

Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request and maximum-modifications-per-modify-request properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.

Improved DS-46332 PingDirectory

The replication server now continues to handle incoming replication connections even when there is an unexpected exception.

New

Log files can contain potentially contain sensitive or identifiable information that you might not necessarily want recorded in the clear. The server can now be configured to support sanitizing access logs as they are being written. It is available for any writer-based or JSON-formatted access log, and elements in the log message can either be sanitized, redacted, or omitted altogether. This includes the ability to genericize diagnostic messages written to the access or error log. For more information, see Log sanitization.

New

PingDirectory provides a robust logging system allowing for detailed analysis of the server’s functioning. Included is support for creating log files written using JSON format. The summarize-access-log command, which is used to display a number of metrics about operations processed within the server, now supports processing JSON formatted access logs.

New

The Directory REST API allows developers to create customized application for managing the entries in a directory instance. The Directory REST API now supports controls previously only available through LDAP calls. This includes the ability to do joins allowing for advanced data modeling of relationships.

New

In deployments with replicating PingDirectory instances, conflicts can occur if the same entry is added to different servers at the same time. Many conflicts can be handled automatically and, in such cases, the server whose add attempt creates a conflict, now returns a CONFLICT result in the replication response control and LDAP result code.

Improved DS-44507, DS-45243, DS-45530

Updated the JSON-formatted access logger to include the requester IP address in disconnect, security negotiation, and client certificate log messages when appropriate.

Improved PingDataSync

PingOne recently added support for multi-valued attributes. Now, using PingOne as a sync destination, multi-valued attributes can be synchronized as either a one-time data migration or as part of a continual real-time synchronization strategy.

Improved PingDataSync

When using PingOne as a sync destination, PingDataSync Server provides support for synchronizing data to custom attributes that are defined in the PingOne environment. This includes attributes defined as multi-valued or JSON in PingOne.

Issue PingDirectory

An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password.

One recommendation to work around this issue is to not set these password policy attributes on administrator accounts that are stored in cn=config. If you do need --set force-change-on-reset:true or --set force-change-on-add:true, you must clear the mustChangePassword flag by running the following command each time you change the password:

Issue

The setup command might fail on Windows operating systems because of the presence of Bouncy Castle JAR files in the lib directory that begin with bc. The JAR files are mentioned in an error message similar to the following: An unexpected error occurred while attempting to copy the non-FIPS Bouncy Castle jar file into the server’s classpath: FileSystemException: lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it is being used by another process. A temporary workaround is to delete the JAR files that begin with bc from the lib directory before attempting to run setup again.

Issue DS-46007

If you update an existing installation to the 9.1 release of the server and then subsequently want to revert that update, Bouncy Castle libraries from the 9.1 release might not be properly removed from the lib directory, resulting in both the older and newer versions of the library being in the lib directory. This should not cause any problems with the server, but it might result in warning messages in the server’s error log about different versions of the same JAR file in the classpath (for example, The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bc-fips-1.0.2.1.jar, bc-fips-1.0.2.3.jar and The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bctls-fips-1.0.11.4.jar, bctls-fips-1.0.13.jar). This message can be safely ignored. You can eliminate this warning by stopping the server and manually removing the newer versions of the jar files referenced in the warning message.

Issue DS-46016 PingDirectory, PingDirectoryProxy

JSON-formatted join request controls with their criticality set to false are rejected as if their criticality were true by non-search requests.

Fixed DS-41468

Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced. For information on log sanitization, see Log sanitization.

Fixed DS-44481

The status tool now shows the current collect-support-data version.

Fixed DS-45336

Fixed issues that prevented obtaining key and trust store PINs with the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers.

Fixed DS-45449 PingDirectory

Updated the server to create the esTokenizer.ping file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.

Fixed DS-45466 PingDirectory

Fixed an issue where password policies specified using a virtual attribute were sometimes not correctly applied to users.

Fixed DS-45485 PingDirectory, PingDirectoryProxy

Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the UnboundID LDAP SDK for Java.

Fixed DS-45546 PingDirectory

Fixed an issue that caused the encode-password tool to fail when the AES256 password storage scheme is enabled.

Fixed DS-36184, DS-45125 PingDataSync

Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.

Fixed DS-45123 PingDataSync

Updated the manage-topology add-server command to set a consistent priority index when adding two PingDataSync servers into a new failover topology. The server listed as the remote server in the command-line arguments is given the higher priority index, which results in an overall lower priority compared to the other server.

Fixed DS-16236 PingDirectory

Updated the sanitize-log tool to better align with the server’s support for sanitizing log messages as they are logged. Changes include:

Improved DS-42302 PingDirectory

Added support for improved assured replication result codes when replication conflicts occur. For processed assured levels, for each replica that has a replication conflict resulting in an alternate distinguished name (DN) being updated, a CONFLICT result will be returned. If any such conflicts are detected, a result code of 68 (ENTRY_ALREADY_EXISTS) will be returned.

Fixed DS-44667 PingDirectory

Fixed an issue in which the password policy state extended operation could be used to create duplicate authentication failure time or grace login use time values.

Improved DS-45147 PingDirectory, PingDataSync, PingDirectoryProxy

Added a docker-pre-start-config command-line tool for PingData Docker containers. Use the tool before the server is started to make configuration changes to the server that depend on the running container’s environment.

Improved DS-45163

Added a --excludeSetupArguments argument for the manage-profile generate-profile command. Added a --skipValidation argument for the manage-profile replace-profile command. This argument allows skipping the final server validation step when running on an offline server and allows generating a server profile that does not include a setup-arguments.txt file. Updated the setup and replace-profile subcommands to fail when a server profile includes an encryption-settings-db file in the profile’s <server-root>/pre-setup/ directory.

Fixed DS-45250

Directory Server privileges that are assigned through virtual attributes now apply consistently when accessing topology-related features through the administrative console.

Improved DS-45255, DS-45504, DS-45505 PingDirectory

Updated the server to protect against attempts to modify the ds-pwp-modifiable-state-json operational attribute without the Modifiable Password Policy State plugin enabled. The plugin is disabled by default, and the server would previously allow writes to that attribute with the plugin disabled, but those writes would just pollute the entry and have no effect on its password policy state. The server now only allows updates to ds-pwp-modifiable-state-json if the Modifiable Password Policy State plugin is enabled. Similarly, the server also rejects attempts to add entries that contain the ds-pwp-modifiable-state-json operational attribute, even with the Modifiable Password Policy State plugin disabled. Writes to this attribute are only supported for modify operations, and the server would properly reject add attempts targeting that attribute if the plugin had been enabled but would not reject those attempts if the plugin were disabled.

The server now also prohibits administrators from using the ds-pwp-modifiable-state-json operational attribute to update their own password policy state, and it prohibits attempts to update ds-pwp-modifiable-state-json operational attribute in an another user’s entry in the same modify request that also resets that user’s password. The former restriction prevents certain kinds of changes that could allow an administrator to exempt themselves from certain password policy restrictions while the latter protects against potential conflicts that could arise from two modifications in the same request that attempt to alter a user’s password policy state.

Fixed DS-45322 PingDirectory

A former version of the tool allowed the --useSSL argument to indicate that SSL should be used to secure communication with both servers, whereas a newer version did not allow that argument but instead required both --sourceUseSSL and --targetUseSSL. Similarly, support for the --useStartTLS argument was inadvertently dropped, requiring both --sourceUseStartTLS and --targetUseStartTLS. The legacy arguments have been restored.

Fixed DS-45439, SF:00741269# PingDirectory

Minimum and maximum age password policies are no longer applied for users without a password.

Security DS-45462

Updated PingDirectory products to use Kafka 2.8.1, which resolves.

Fixed DS-45470 PingDirectory

Fixed an issue in which the server could incorrectly skip certain indexes when evaluating search criteria. In cases where the server can determine where the results from one index should already be encompassed by results from another index that is already in use for the search, it ignores the redundant index. However, there were cases in which an index would be ignored even if the already-in-use index was not actually suitable for that search (for example, because its index entry limit had been exceeded).

Improved DS-45480, DS-45636

Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server’s certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry.

Made the following updates to the replace-certificate tool:

Fixed DS-45487 PingDirectory

Fixed an issue where access logs incorrectly reported negative processing times for certain operations.

Improved DS-45494 PingDirectory, PingDirectoryProxy

Most existing controls have been updated to support an alternative JSON encoding, which might make it easier to use certain controls in clients written with APIs that do not provide direct support for those controls.

Security DS-45503

Updated the server to use the latest versions of the FIPS 140-2-compliant and non-FIPS-compliant Bouncy Castle cryptographic libraries.

Improved DS-45541, DS-45542

Updated the text-formatted and JSON-formatted access and error loggers to provide an option to use generic versions of strings in log messages. If enabled, error messages, additional log info messages, disconnect reasons, and authentication failure reasons will use a string with placeholders instead of context-specific values that could potentially include identifiable or sensitive information.

Improved DS-45564 PingDirectory

This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes.

In the unlikely event that this limit is actually needed in a directory environment, it can still be activated by setting the com.unboundid.directory.server.backends.jeb.AttributeIndex.cursorEntryLimit system property to the desired value.

Fixed DS-45578 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed issues where gauges could raise an alarm and create an alert, but not create an alert when that same alarm was later cleared, making it unclear when the reported condition had abated.

Fixed DS-45582 PingDirectory

Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server …​may have missed one or more update(s). if the source server is in the pre-external-initialize state. This generally occurred only if the initialized server was restarted right after initialization completed.

Fixed DS-45600 PingDirectory

Updated the export-reversible-passwords tool to fix a potential issue in which the tool could encounter a timeout while waiting for the response from the server. Updated the export reversible passwords extended operation handler to provide support for canceling an export that is in progress. If the export-reversible-passwords tool is terminated, or if the associated extended operation is abandoned or canceled, then the export process now stops processing. Previously, it ignored the cancel request and continued processing the export until all entries in the backend had been examined.

Fixed DS-45767 PingDirectory

Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It continues to reject the operation if the disallowed control has a criticality of true, but if the criticality is false, the server continues processing the operation as if that control had not been requested.

Fixed DS-45714, SF:00753519# PingDirectory

Fixed an issue that allowed replication protocol messages to be dropped.

Fixed DS-45746 PingDirectory

Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality.

Fixed DS-45786 PingDirectory

Fixed a PingDirectory server issue that could cause an internal error to be logged while monitoring database statistics for read-only backends.

Fixed DS-45788 PingDirectory

Fixed an issue where the Directory REST API returns an HTTP 500 error response when trying to retrieve a System for Cross-domain Identity Management (SCIM) entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ.

Fixed DS-45798 PingDirectoryProxy

In PingDirectoryProxy Server, manage-profile replace-profile sometimes failed with an error similar to the following:

This fix ensures that the configuration is loaded prior to the merge that the error message refers to.

Security DS-45806

Updated Jackson Databind to 2.13.3.

Security DS-45898

Updated the commons-codec library to version 1.13.

Security DS-45903

Updated the Google Guava dependency in common libraries.

Improved DS-45948 PingDirectory

The Directory REST API no longer includes RDN values in modify requests to update the DN of an entry, because RDN values are updated by default in modify DN requests.

New Delegated Admin

Managing accounts includes the ability to unlock accounts. Previously, the only way to unlock an account was for an administrator to reset the password. Now, Delegated Admin users can directly unlock an account without resetting the password.

New Delegated Admin

Managing group membership is a common administrative user task. Resource types can now have custom names assigned for Members and Nonmembers columns. This option is available for the Groups, Users and Generic REST resource types.

New Delegated Admin

Currently, we are using the Implicit grant type. However, the Implicit grant type is no longer recommended for use because it can leak the access tokens. For more information, see https://oauth.net/2/grant-types/implicit/. For new installations of Delegated Admin, the grant type is set to Authorization Code with PKCE.

New Delegated Admin

Customers using Delegated Admin can now upload and display image files and upload certificates for properly configured resource types. Certificates are encoded before being stored.

Issue DS-45739 Delegated Admin

When uploading certificates or photos to REST resource types in Delegated Admin, the name of the uploaded file is not displayed. If multiple certificates are uploaded for a user, a number will be assigned based on the order the certificates were uploaded in.

Fixed DS-45760 Delegated Admin

Fixed a form input validation issue for required integer attributes on a resource type that was preventing users from saving new resources.

Fixed DS-45483 Delegated Admin

Non-members of a group are no longer displayed initially on the edit group membership view for the group resource types.

Fixed DS-45611 Delegated Admin

Non-member groups are no longer displayed initially on the edit group membership view for the users and generic resource types.

Fixed DS-45591 Delegated Admin

Non-members of a group are no longer loaded in the group resource type search results on the group membership tab.

Fixed DS-45767 PingDirectory

Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It will continue to reject the operation if the disallowed control has a criticality of true, but if the criticality is false, the server will continue processing the operation as if that control had not been requested.

Security DS-47632 PingDirectory

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory Server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.

Fixed DS-46695 PingDataSync

Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile subcommand.

Fixed DS-46882 PingDirectory

Fixed an issue where attempting to change a password that’s within the minAge now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.

Fixed DS-41468

Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced.

Fixed DS-45044 PingDirectory

Fixed an issue with the dsreplication tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.

Fixed DS-45546 PingDirectory

Fixed an issue that caused the encode-password tool to fail when the AES256 password storage scheme is enabled.

Fixed DS-45638 PingDirectory

Fixed an issue where resource limits for the topology admin user created during replication enable were not set.

Fixed DS-45798 PingDirectoryProxy

In the PingDirectoryProxy server, "manage-profile replace-profile" sometimes failed with an error similar to the following: The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other) …​ This fix ensures that the configuration is loaded prior to the merge that the error message refers to.

Fixed DS-45960 PingDirectory

Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.

Fixed DS-46121 PingDataSync

Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.

Fixed DS-46392 PingDirectory, PingDirectoryProxy

Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the PingDirectoryProxy server.

Improved DS-46129 PingDirectoryProxy

Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request and maximum-modifications-per-modify-request properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.

Improved DS-46332 PingDirectory

The replication server now continues to handle incoming replication connections even when there is an unexpected exception.

Security DS-45462

Updated PingDirectory products to use Kafka v2.8.1.

Fixed DS-45449 PingDirectory

Updated the server to create the esTokenizer.ping file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.

Improved DS-45485 PingDirectory, PingDirectoryProxy

Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the LDAP SDK for Java.

Fixed DS-45788 PingDirectory

Fixed an issue where the Directory Rest API returns an HTTP 500 error response when trying to retrieve a SCIM entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ.

Fixed DS-45863 PingDirectory

Resolved an issue where SCIM POST requests that violated a unique attribute constraint received an error response with status 400 (Bad Request) instead of 409 (Conflict).

Fixed DS-46017 PingDirectory

Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.

Fixed DS-45647 PingDirectory

Resolved an issue where SCIM POST requests that violated a unique attribute constraint got an internal error instead of the expected SCIM error response.

Fixed DS-46119 PingDataSync

Fixed an issue encountered when using PingDataSync with a PingOne Sync Destination that caused sync to slow down significantly after 5 minutes and generate extraneous requests to the sync destination.

Issue PingDataSync

For multi-valued JSON attributes, you should not use JSON attribute mappings when synchronizing data to a PingOne destination. When synchronizing JSON data, you can use a direct attribute mapping if the data at the source server is JSON. If the data at the source server should be assembled into JSON form, you can define a constructed attribute mapping.

Improved DS-36184, DS-45125 PingDataSync

Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.

When defining attribute mappings for a PingOne destination, you can use direct attribute mappings for string to string or JSON to JSON synchronizations. If a string attribute at the source server should be stored as JSON in the PingOne environment, you should define a constructed attribute mapping in PingDataSync.

Improved PingDirectory

Entry-balancing is a PingDirectoryProxy Server configuration that allows the entries within a portion of the directory information tree (DIT) to reside on multiple external servers. The entry counter, hash distinguished name (DN) and round-robin placement algorithms can now be configured to exclude backend sets for add operations allowing for greater control over the use of multiple servers for entry balancing.

Improved PingDirectory

PingDirectory provides a number of interfaces for interacting with entries within the data store including LDAP and several REST APIs. In this release, the Directory REST API can now return any tagging options that are defined for an attribute. These tagging options are treated as subtypes of the same attribute while not explicitly declared in the schema.

Improved PingDirectory

In an earlier release, PingDirectory added support for a passphrase provider API to secure administrative passphrases, pins or passwords. This release adds both CyberArk Conjur and Azure Key Vaults to the list of available passphrase and cipher stream providers. Cipher stream providers are used to protect the keys stored in the encryption settings database

Improved PingDirectory

Because administrators now have the ability to single sign-on (SSO) to the PingDirectory administrative console, the File Servlet used to download files from a server instance can now also use OAuth tokens for authentication along with the basic HTTP authentication method, such as username and password.

Fixed PingDirectory, PingDirectoryProxy, PingDataSync

The administrative console is one tool you can use to configure and manage PingDirectory servers. In this release, you can now apply your own branding to console elements such as background colors, images and logos, and certain text elements. Sign on, sign out, and configuration pages are included in possible configuration areas. For more information, see the README.txt file in the console .war file shipped with PingDirectory.

Improved PingDirectory

To improve the defunct server topology cleanup process when your topology is unhealthy, such as during a network outage or disaster recovery, a new option to the remove-defunct-server command cleans up stale replication metadata before the server is added back into the topology. This new argument, --performLocalCleanup, allows administrators to easily take a server out of a topology for maintenance or troubleshooting and return the server back to the topology later. For more information on remove-defunct-server and its options, run bin/remove-defunct-server --help.

Improved PingDirectory

Earlier PingDirectory Server versions support pass-through authentication to remote LDAP servers or to PingOne, which can be useful when migrating data into the Directory Server from another service, or when the Directory Server needs to coexist with another service that is an authoritative source for user passwords. This release adds support for a pluggable pass-through authentication plugin, which makes it possible to pass through simple bind requests to an arbitrary external service using a pass-through authentication handler to manage interaction with that service, and the Server SDK has been updated to allow creating custom pass-through authentication handlers. As with existing pass-through authentication support, this functionality is only available for LDAP simple binds, and it does not support SASL authentication. For more information on this plugin, see Working with pass-through authentication

Improved PingDirectory

In multi-server deployments, replication is used to maintain consistency of data and schema between the servers. With larger deployments, attempting to initialize replication for multiple servers can take longer. New options to the dsreplication command can now speed up this process by initializing replication on multiple servers in parallel. The number of servers can either be the entire set of servers in the deployment, or a subset of servers based on location, or instance name or a specific number. For more information on dsreplication subcommands, see Summary of the dsreplication Subcommands.

Improved PingDirectory

Typically, the passwords for administrative users have been stored directly in PingDirectory based on the configured password storage scheme. To provide enhanced security for those administrative accounts that need it, a new password storage scheme has been added that allows for the password to be stored in an external vault. Currently, Amazon AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault are supported.

Improved PingDirectory

To better manage the configuration of multiple servers in large topologies, PingDirectory uses the config-audit log file to allow administrators to easily determine, replay or undo configuration changes made to servers. Previously, when modifying topology or cluster configuration, the original requesting account information was not logged. Now, to assist administrators and improve server auditing, the config-audit logs will track the originating account information that made individual changes. For circumstances where more protection is required, there is a new property that will redact any sensitive attributes that might be written to the log file (instead of the default obfuscation behavior). This includes instances where administrative users change their passwords and affects any other condition where the sensitive attribute might be displayed for informational purposes such as alerts.

Improved PingDataSync

Many customers use PingDataSync Server to either migrate from Active Directory or use Active Directory in conjunction with PingDirectory to manage user accounts. Administrators can now configure PingDataSync to include account state information set in Active Directory specifically lockout time, the last time the password was set and whether or not the account is disabled. This information can now be properly set within PingDirectory based on the information set in the account in Active Directory.

Issue PingDirectoryProxy

If the DirectoryProxy Server is configured to use entry balancing and cannot use the global index to determine which backend sets should be used to process an operation, it broadcasts the request to all backend sets, and it will examine the results obtained from each of the backend sets to determine which is the best one to return to the client.

In previous releases, the server always preferred a success result over a non-success result, but if the operation failed in all backend sets, then the DirectoryProxy Server could have selected a result from a backend server in which the target entry didn’t exist (for example, with a noSuchObject result code) rather than from one in which the entry did exist but the operation failed for some other reason. The 9.0.0.0-EA release addresses this by examining the result codes for all broadcast operations and prioritizing failure results indicating that the target entry exists in the associated backend set over those that do not.

There are still known cases, however, in which the DirectoryProxy Server might select a less appropriate result to return to the client. For example, if a bind operation fails, the backend server is likely to return an invalidCredentials result regardless of whether the target user entry exists in that backend set. If the bind attempt fails in one backend set because the target user exists but their account is in a state that doesn’t allow it to authenticate (for example, if their password is expired or their account is locked), then the bind response from that server might include response controls that would be useful to return to the client, but the 9.0.0.0-EA release might not choose that response as the one to return to the client. This will be addressed in the 9.0.0.0 GA release later this year.

Fixed PingDirectory, PingDataSync

When a server is removed with the dsreplication disable or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

Fixed DS-44591 PingDirectory

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Fixed DS-37117 PingDirectory

Fixed an issue where the Directory REST API encountered internal server errors while processing entries whose attributes have LDAP tagging options.

Fixed DS-38498, DS-38621 PingDirectory

An LDAP pass-through authentication handler has also been provided, which allows the new plugin to be used as an alternative to the existing LDAP-specific pass-through authentication plugin. The new implementation provides additional functionality not available in the previous plugin, including the ability to indicate whether pass-through authentication should be allowed for accounts that are locked or have expired passwords and the ability to set timeouts that will be used when interacting with external LDAP servers. It also has improved default settings and offers better diagnostic information about its processing.

Fixed DS-40671 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added support for password storage schemes that allow users to authenticate with passwords stored in the Amazon AWS Secrets Manager service, the Microsoft Azure Key Vault service, a CyberArk Conjur instance, or a HashiCorp Vault instance.

Fixed DS-40796 PingDirectory

To enhance initialization performance, the dsreplication initialize-all command now initializes multiple target servers in parallel when the --parallel option is used (subject to the --parallelLimit option). The --sameLocationOnly and --destinationInstanceName options can be used to limit the destinations that are initialized.

Fixed DS-40926 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig representation for a configuration change, which could be included in the server’s configuration audit log or administrative alerts whenever a configuration change is applied. By default, the values of configuration properties that are defined as sensitive will be obscured rather than redacted, which allows the change to be replayed without revealing the actual value of the property. However, it is now possible to redact such values rather than obscuring them, which provides stronger protection against exposing those values, but could interfere with the ability to replay the configuration audit log if it contains changes involving sensitive properties.

Fixed DS-42752 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added sorting functionality to the Name and Category columns of the monitor table in the administrative console.

Fixed DS-42961 PingDirectory

To help with replication backlog analysis, the replication summary monitor now includes a replica-partial-backlog attribute that shows how each origin replica contributes partial backlog with the per-origin-replication-backlog property. The replica-partial-backlog attribute also shows the change numbers used for the calculation.

Fixed DS-43056 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Updated the server to record the original requester distinguished name (DN) and IP address in access log and config audit log messages for mirrored configuration changes.

Fixed DS-43582 PingDirectory, PingDirectoryProxy

Fixed a couple of issues in which the server might not properly handle other controls included in a search request containing a join request control. For search operations passing through the Directory Proxy Server, other response controls could have been inadvertently stripped from search result entries when adding the join result control. Further, if a search request included a join request control in conjunction with one or more other controls, the request control immediately following the join request control might not have been properly handled.

Fixed DS-43917 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

The Conjur cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Conjur passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service. The server can authenticate to Conjur using a username and a password or an API key.

Fixed DS-43918 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSYnc

The Azure Key Vault cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Azure Key Vault passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service.

Fixed DS-43959, DS-44924 PingDirectory

These can be used to avoid potential denial of service attacks. Both limits are set to 1000 by default, which is likely to be adequate for all legitimate use cases, and neither property affects the number of values that can be provided for an attribute.

Fixed DS-44081 PingDirectory

Addressed an issue where proxied authorization would fail in rare cases for usernames with 57 or 58 characters and DNs with 108 or 109 characters.

Fixed DS-44280, DS-45027, DS-45037 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where manage-profile replace-profile did not correctly handle keystore files with a .bcfks extension while in FIPS-140-2-compliant mode.

Fixed DS-44329 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Resolved an issue where the View API Commands link appeared to be disabled in the administrative console.

Fixed DS-44454 PingDirectory

Fixed an issue where non-DN modifications associated with a moddn change would silently fail to replicate.

Fixed DS-44495 PingDirectory

Added a new argument, --performLocalCleanup, to remove-defunct-server that simplifies the replication artifact cleanup process. To clean up replication artifacts on earlier releases of the Directory Server, run remove-defunct-server with no bind arguments while the server is offline.

Fixed DS-44519 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added a PKCS #11 cipher stream provider that can require access to a certificate in a PKCS #11 token to unlock the server’s encryption settings database. Only certificates with RSA key pairs can be used because Java virtual machines (JVMs) do not currently provide adequate key wrapping support for elliptic curve key pairs.

Fixed DS-44577 PingDirectory

Server instances, which are within a mirrored subtree, can now be safely mirrored to older servers in mixed version topologies. This is done by adding the following to server instances: objectclass: extensibleObject.

Fixed DS-44591 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

When a server is removed with the dsreplication disable or remove-defunct-server tools, its secret keys are now distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Fixed DS-44595 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

The PingData Administrative Console can now be configured to supply PINs to its trust stores through the oidc-trust-store-pin-passphrase-provider and trust-store-pin-passphrase-provider settings. This means trust store types that require passphrases (ex: PKCS12 or BCFKS) are now properly supported.

Fixed DS-44601 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

The PingData Administrative Console can now retrieve files created from collect-support-data or server-profile tasks when using single sign-on (SSO) to authenticate with the managed server.

Fixed DS-44602 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Updated the file servlet to add support for token-based authentication using an OAuth 2.0 access token or an OpenID Connect ID token. The servlet previously only supported basic authentication.

Fixed DS-44604 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

The tool will only use relative paths that exist below the server root, and it previously silently ignored absolute paths or relative paths that referenced files outside of the server root. It will now exit with an error if the includePath argument is used to provide an absolute path or a path outside the server root. It will accept but warn about paths that reference files that do not exist.

Fixed DS-44623 PingDirectory, PingDirectoryProxy

Fixed an issue that caused an internal root account (used for processing certain types of internal operations) to be subject to the server’s default password policy. With some password policy configurations, if a DirectoryProxy Server attempted to perform an internal operation that targeted data in a backend Directory Server, that operation could have been incorrectly rejected.

Fixed DS-44648 PingDirectory

Addressed an issue where symmetric keys were not being sanitized in the config-audit.log.

Fixed DS-44669 PingDirectory

Updated the export-ldif tool to always base64 encode values with any ASCII control characters. The LDIF specification in RFC 2849 only requires base64 encoding for the NUL, LF, and CR control characters, and those are the only control characters that were previously base64 encoded. However, the specification also permits base64 encoding for any type of character, and always base64 encoding all control characters is safer and reduces the chance for errors when working with values containing such characters.

Fixed DS-44757 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Fixed DS-44758 PingDirectory

Updated the migrate-ldap-schema tool to provide more flexibility for TLS negotiation, support for SASL authentication, support for using a properties file, and better validation for migrated attribute type and object class definitions.

Fixed DS-44793 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Fixed an issue in which remove-defunct-server would remove attributes from config.ldif if they were identical apart from case.

Fixed DS-44884 PingDirectory

Improved performance for modify operations that need to insert an entry ID into the middle of a very large composite index ID set.

Fixed DS-44892 PingDirectory

Addressed a connection error in remove-defunct-server when the tool tried to migrate secret keys on a single-instance topology (i.e., a server that is not part of a replication topology). The tool now only moves secret keys if the server is part of a topology.

Fixed DS-44904 PingDirectory

Fixed a race condition that could sporadically cause an error when backing up an encrypted backend.

Fixed DS-44931 PingDirectory

Addressed an issue where simple binds on entries without passwords would not update the relevant password policy attributes, such as ds-pwp-auth-failure.

Fixed DS-44940 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites that will be used for outbound connections, as well as properties for controlling whether to enable TLS cipher suites that rely on the SHA-1 digest algorithm or the RSA key exchange algorithm.

Fixed DS-44942 PingDirectory, PingDirectoryProxy

Fixed an issue in which the server might not use appropriate resource limit values for accounts that bind with pass-through authentication. In such cases, the server might apply size limit, time limit, idle time limit, and other constraints from the global configuration instead of alternative values for those limits set in the user entry.

Fixed DS-45032 PingDirectory

Fixed DS-45038 PingDirectory

For the initilaze-all dsreplication subcommand avoid closing connections to remote servers multiple times in order to apply the new generation ID.

Fixed DS-45039 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added support for the use of Java Development Kits (JDKs) obtained through Eclipse Foundation.

Fixed DS-45056 PingDirectory

Fixed an issue where explicit createTimestamp values are replicated to peer servers using a default timestamp format rather than the non-default format value stored on the first server.

Fixed DS-45060 PingDirectory

This might allow the virtual attribute to provide values from another entry even if the requester would not otherwise have permission to access those values.

Fixed DS-45115 PingDirectory

Fixed a Ping Directory Server performance issue involving high CPU usage when writing LDAP data to certain clients using TLSv1.3 connection security.

Fixed DS-45124 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

In rare cases, this argument was related to segmentation faults in the JVM, especially when used with the G1 garbage collector.

Fixed DS-45153 PingDirectory

Fixed an issue that prevented the composed attribute plugin from working for operations that are part of a multi-update request.

Fixed DS-45154 PingDirectory

Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server might have missed one or more updates. This generally occurred only if the initialized server was restarted right after initialization completed.

Fixed DS-45160 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Changed the default tab in the administrative console to Modify when updating an existing server resource with new changes

Fixed DS-45162 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added support for new extended operations to help manage the server’s listener and inter-server certificates. Updated the replace-certificate tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.

Fixed DS-45190 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added support for the use of JDKs obtained through BellSoft.

Fixed DS-45203 PingDirectory

Resolved a performance issue that could cause servers installed using a server encryption option to spend several minutes waiting in the Initializing Crypto Manager phase during server startup.

Fixed DS-45284 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added a scroll bar to the administrative console’s Server list to ensure all servers are accessible regardless of screen size.

Fixed DS-44678 PingDirectoryProxy

Updated the entry counter, hash DN, and round robin placement algorithms to make it possible to exclude specified backend sets from consideration when adding new entries to an entry-balanced topology.

Fixed DS-44798 PingDirectoryProxy

Improved the logic the server uses to select the best result to return to the client when an operation fails in an entry-balanced topology after the request was broadcast to all backend sets. In some cases, the server could have incorrectly returned a result from a backend set in which the target entry did not exist instead of a more appropriate result from the backend set that did contain the entry.

Fixed DS-44224 PingDataMetrics

Addressed an issue where icons on the dashboards were not properly displayed.

Fixed DS-44513 PingDataSync

Because pwdAccountLockedTime cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdAccountLockedTimeFromAD to pwdAccountLockedTime.

Fixed DS-44636 PingDataSync

Synchronize from Active Directory userAccountControl bit indicating that the account is disabled (bit #2) (or msDS-UserAccountDisabled on AD-LDS) to PingDirectory attribute ds-pwp-account-disable. Because ds-pwp-account-disabled cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from ds-pwp-account-disabled-from-ad to ds-pwp-account-disabled.

Fixed DS-44660 PingDataSync

Synchronize from Active Directory attribute pwdLastSet with the password changed time to PingDirectory attribute pwdChangedTime. Because pwdChangedTime can not be written to directly an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdChangedTimeFromAD to pwdChangedTime.

Fixed DS-44922 PingDataSync

Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes with the same base name but with different option tags, and any of these attributes having more values in the source entry than the replace-all-attr-values-limit for the Sync class.

Fixed DS-45134 PingDataSync

Addressed an issue where PingDataSync was not syncing entries to PingOne environments due to rate-limiting responses from PingOne.

Fixed DS-45138 PingDataSync

Addressed an issue where the max-rate-per-second configuration setting was not being applied to the resync tool.

Improved Delegated Admin

Previously, the only way to unlock an account was for an administrator to reset the password. Now, delegated administrative users can directly unlock an account without resetting the password. For more information, see Unlocking user accounts.

Improved Delegated Admin

This option is available for the Groups, Users, and Generic rest resource types.

For more information, see delegated_admin_application_guide:pd_da_manage_groups.adoc#section_vk5_yll_xsb.

Improved Delegated Admin

Earlier versions of Delegated Admin have used the Implicit grant type as the default OpenID Connect (OIDC) grant type. Because the Implicit grant type can leak access tokens, it is no longer recommended for use. In new installations of Delegated Admin, the grant type is set to Authorization Code with PKCE. To change your default OIDC grant type to Authorization Code with PKCE in existing installations of Delegated Admin, see Changing the default OIDC grant type.

For more information on the Implicit grant type, see OAuth 2.0 Implicit Grant.

Issue Delegated Admin

Because the account locked state, dadmin-account-locked, is not a true attribute, it is not available for filtering in reporting.

Issue Delegated Admin

If a resource is linked to more correlated resources than the correlated resource type’s search limit, then no resources will be displayed for that correlated resource type. To view the resources for that correlated resource type, increase the correlated resource type’s search limit.

Fixed DS-40723 Delegated Admin

Fixed an issue where an error message was not displayed when password generation was unsuccessful.

Fixed DS-45075 Delegated Admin

Fixed an issue that prevented the first value in a multi-valued attribute from being deleted.

Fixed DS-45079 Delegated Admin

Updated the warning banner for configuration errors to only display for the first 10 seconds after signing in to Delegated Admin.

Fixed DS-45448 Delegated Admin

Added the ds-pwp-modifiable-state-json attribute to user resource types automatically.

Fixed DS-45502 Delegated Admin

Fixed an issue in which a user’s password policy was not being used to generate new passwords for the user.