PingDirectory suite of products 9.1.0.0 (June 2022)

New

Log files can contain potentially contain sensitive or identifiable information that you might not necessarily want recorded in the clear. The server can now be configured to support sanitizing access logs as they are being written. It is available for any writer-based or JSON-formatted access log, and elements in the log message can either be sanitized, redacted, or omitted altogether. This includes the ability to genericize diagnostic messages written to the access or error log. For more information, see Log sanitization.

New

PingDirectory provides a robust logging system allowing for detailed analysis of the server’s functioning. Included is support for creating log files written using JSON format. The summarize-access-log command, which is used to display several metrics about operations processed within the server, now supports processing JSON formatted access logs.

New

The Directory REST API allows developers to create customized application for managing the entries in a directory instance. The Directory REST API now supports controls previously only available through LDAP calls. This includes the ability to do joins allowing for advanced data modeling of relationships.

New

In deployments with replicating PingDirectory instances, conflicts can occur if the same entry is added to different servers at the same time. Many conflicts can be handled automatically and, in such cases, the server whose add attempt creates a conflict, now returns a CONFLICT result in the replication response control and LDAP result code.

Improved DS-44507, DS-45243, DS-45530

Updated the JSON-formatted access logger to include the requester IP address in disconnect, security negotiation, and client certificate log messages when appropriate.

Improved PingDataSync

PingOne recently added support for multi-valued attributes. Now, using PingOne as a sync destination, multi-valued attributes can be synchronized as either a one-time data migration or as part of a continual real-time synchronization strategy.

Improved PingDataSync

When using PingOne as a sync destination, PingDataSync Server provides support for synchronizing data to custom attributes that are defined in the PingOne environment. This includes attributes defined as multi-valued or JSON in PingOne.

Issue PingDirectory

An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password.

One recommendation to work around this issue is to not set these password policy attributes on administrator accounts that are stored in cn=config. If you do need --set force-change-on-reset:true or --set force-change-on-add:true, you must clear the mustChangePassword flag by running the following command each time you change the password:

Issue

The setup command might fail on Windows operating systems because of the presence of Bouncy Castle JAR files in the lib directory that begin with bc. The JAR files are mentioned in an error message similar to the following: An unexpected error occurred while attempting to copy the non-FIPS Bouncy Castle jar file into the server’s classpath: FileSystemException: lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it is being used by another process. A temporary workaround is to delete the JAR files that begin with bc from the lib directory before attempting to run setup again.

Issue DS-46007

If you update an existing installation to the 9.1 release of the server and then subsequently want to revert that update, Bouncy Castle libraries from the 9.1 release might not be properly removed from the lib directory, resulting in both the older and newer versions of the library being in the lib directory. This should not cause any problems with the server, but it might result in warning messages in the server’s error log about different versions of the same JAR file in the classpath (for example, The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bc-fips-1.0.2.1.jar, bc-fips-1.0.2.3.jar and The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bctls-fips-1.0.11.4.jar, bctls-fips-1.0.13.jar). This message can be safely ignored. You can eliminate this warning by stopping the server and manually removing the newer versions of the jar files referenced in the warning message.

Issue DS-46016 PingDirectory, PingDirectoryProxy

JSON-formatted join request controls with their criticality set to false are rejected as if their criticality were true by non-search requests.

Fixed DS-41468

Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced. For information on log sanitization, see Log sanitization.

Fixed DS-44481

The status tool now shows the current collect-support-data version.

Fixed DS-45336

Fixed issues that prevented obtaining key and trust store PINs with the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers.

Fixed DS-45449 PingDirectory

Updated the server to create the esTokenizer.ping file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.

Fixed DS-45466 PingDirectory

Fixed an issue where password policies specified using a virtual attribute were sometimes not correctly applied to users.

Fixed DS-45485 PingDirectory, PingDirectoryProxy

Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the UnboundID LDAP SDK for Java.

Fixed DS-45546 PingDirectory

Fixed an issue that caused the encode-password tool to fail when the AES256 password storage scheme is enabled.

Fixed DS-36184, DS-45125 PingDataSync

Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.

Fixed DS-45123 PingDataSync

Updated the manage-topology add-server command to set a consistent priority index when adding two PingDataSync servers into a new failover topology. The server listed as the remote server in the command-line arguments is given the higher priority index, which results in an overall lower priority compared to the other server.

Fixed DS-16236 PingDirectory

Updated the sanitize-log tool to better align with the server’s support for sanitizing log messages as they are logged. Changes include:

Improved DS-42302 PingDirectory

Added support for improved assured replication result codes when replication conflicts occur. For processed assured levels, for each replica that has a replication conflict resulting in an alternate distinguished name (DN) being updated, a CONFLICT result will be returned. If any such conflicts are detected, a result code of 68 (ENTRY_ALREADY_EXISTS) will be returned.

Fixed DS-44667 PingDirectory

Fixed an issue in which the password policy state extended operation could be used to create duplicate authentication failure time or grace login use time values.

Improved DS-45147 PingDirectory, PingDataSync, PingDirectoryProxy

Added a docker-pre-start-config command-line tool for PingData Docker containers. Use the tool before the server is started to make configuration changes to the server that depend on the running container’s environment.

Improved DS-45163

Added a --excludeSetupArguments argument for the manage-profile generate-profile command. Added a --skipValidation argument for the manage-profile replace-profile command. This argument allows skipping the final server validation step when running on an offline server and allows generating a server profile that does not include a setup-arguments.txt file. Updated the setup and replace-profile subcommands to fail when a server profile includes an encryption-settings-db file in the profile’s <server-root>/pre-setup/ directory.

Fixed DS-45250

Directory Server privileges that are assigned through virtual attributes now apply consistently when accessing topology-related features through the administrative console.

Improved DS-45255, DS-45504, DS-45505 PingDirectory

Updated the server to protect against attempts to modify the ds-pwp-modifiable-state-json operational attribute without the Modifiable Password Policy State plugin enabled. The plugin is disabled by default, and the server would previously allow writes to that attribute with the plugin disabled, but those writes would just pollute the entry and have no effect on its password policy state. The server now only allows updates to ds-pwp-modifiable-state-json if the Modifiable Password Policy State plugin is enabled. Similarly, the server also rejects attempts to add entries that contain the ds-pwp-modifiable-state-json operational attribute, even with the Modifiable Password Policy State plugin disabled. Writes to this attribute are only supported for modify operations, and the server would properly reject add attempts targeting that attribute if the plugin had been enabled but would not reject those attempts if the plugin were disabled.

The server now also prohibits administrators from using the ds-pwp-modifiable-state-json operational attribute to update their own password policy state, and it prohibits attempts to update ds-pwp-modifiable-state-json operational attribute in an another user’s entry in the same modify request that also resets that user’s password. The former restriction prevents certain kinds of changes that could allow an administrator to exempt themselves from certain password policy restrictions while the latter protects against potential conflicts that could arise from two modifications in the same request that attempt to alter a user’s password policy state.

Fixed DS-45322 PingDirectory

A former version of the tool allowed the --useSSL argument to indicate that SSL should be used to secure communication with both servers, whereas a newer version did not allow that argument but instead required both --sourceUseSSL and --targetUseSSL. Similarly, support for the --useStartTLS argument was inadvertently dropped, requiring both --sourceUseStartTLS and --targetUseStartTLS. The legacy arguments have been restored.

Fixed DS-45439, SF:00741269 PingDirectory

Minimum and maximum age password policies are no longer applied for users without a password.

Security DS-45462

Updated PingDirectory products to use Kafka 2.8.1, which resolves.

Fixed DS-45470 PingDirectory

Fixed an issue in which the server could incorrectly skip certain indexes when evaluating search criteria. In cases where the server can determine where the results from one index should already be encompassed by results from another index that is already in use for the search, it ignores the redundant index. However, there were cases in which an index would be ignored even if the already-in-use index was not actually suitable for that search (for example, because its index entry limit had been exceeded).

Improved DS-45480, DS-45636

Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server’s certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry.

Made the following updates to the replace-certificate tool:

Fixed DS-45487 PingDirectory

Fixed an issue where access logs incorrectly reported negative processing times for certain operations.

Improved DS-45494 PingDirectory, PingDirectoryProxy

Most existing controls have been updated to support an alternative JSON encoding, which might make it easier to use certain controls in clients written with APIs that do not provide direct support for those controls.

Security DS-45503

Updated the server to use the latest versions of the FIPS 140-2-compliant and non-FIPS-compliant Bouncy Castle cryptographic libraries.

Improved DS-45541, DS-45542

Updated the text-formatted and JSON-formatted access and error loggers to provide an option to use generic versions of strings in log messages. If enabled, error messages, additional log info messages, disconnect reasons, and authentication failure reasons will use a string with placeholders instead of context-specific values that could potentially include identifiable or sensitive information.

Improved DS-45564 PingDirectory

This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes.

In the unlikely event that this limit is actually needed in a directory environment, it can still be activated by setting the com.unboundid.directory.server.backends.jeb.AttributeIndex.cursorEntryLimit system property to the desired value.

Fixed DS-45578 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed issues where gauges could raise an alarm and create an alert, but not create an alert when that same alarm was later cleared, making it unclear when the reported condition had abated.

Fixed DS-45582 PingDirectory

Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server …​may have missed one or more update(s). if the source server is in the pre-external-initialize state. This generally occurred only if the initialized server was restarted right after initialization completed.

Fixed DS-45600 PingDirectory

Updated the export-reversible-passwords tool to fix a potential issue in which the tool could encounter a timeout while waiting for the response from the server. Updated the export reversible passwords extended operation handler to provide support for canceling an export that is in progress. If the export-reversible-passwords tool is terminated, or if the associated extended operation is abandoned or canceled, then the export process now stops processing. Previously, it ignored the cancel request and continued processing the export until all entries in the backend had been examined.

Fixed DS-45767 PingDirectory

Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It continues to reject the operation if the disallowed control has a criticality of true, but if the criticality is false, the server continues processing the operation as if that control had not been requested.

Fixed DS-45714, SF:00753519 PingDirectory

Fixed an issue that allowed replication protocol messages to be dropped.

Fixed DS-45746 PingDirectory

Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality.

Fixed DS-45786 PingDirectory

Fixed a PingDirectory server issue that could cause an internal error to be logged while monitoring database statistics for read-only backends.

Fixed DS-45788 PingDirectory

Fixed an issue where the Directory REST API returns an HTTP 500 error response when trying to retrieve a System for Cross-domain Identity Management (SCIM) entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ.

Fixed DS-45798 PingDirectoryProxy

In PingDirectoryProxy Server, manage-profile replace-profile sometimes failed with an error similar to the following:

This fix ensures that the configuration is loaded before the merge that the error message refers to.

Security DS-45806

Updated Jackson Databind to 2.13.3.

Security DS-45898

Updated the commons-codec library to version 1.13.

Security DS-45903

Updated the Google Guava dependency in common libraries.

Improved DS-45948 PingDirectory

The Directory REST API no longer includes RDN values in modify requests to update the DN of an entry, because RDN values are updated by default in modify DN requests.