--- title: PingDirectory suite of products 9.1.0.0 (June 2022) description: New component: pingdirectory version: 9.3 page_id: pingdirectory:release_notes:pd_ds_rn_9100 canonical_url: https://docs.pingidentity.com/pingdirectory/9.3/release_notes/pd_ds_rn_9100.html revdate: February 16, 2024 section_ids: added-support-to-sanitize-access-logs-to-protect-sensitive-information: Added support to sanitize access logs to protect sensitive information added-support-for-processing-json-formatted-access-logs: Added support for processing JSON-formatted access logs updated-directory-rest-api: Updated Directory REST API added-conflict-error-messages-for-replicated-pingdirectory-deployments: Added conflict error messages for replicated PingDirectory deployments json-formatted-access-logger-updated: JSON-formatted access logger updated pingdatasync-server-supports-pingone-as-a-sync-destination: PingDataSync Server supports PingOne as a sync destination synchronize-data-to-custom-attributes-defined-in-the-pingone-environment: Synchronize data to custom attributes defined in the PingOne environment repeating-cycle-when-resetting-a-password: Repeating cycle when resetting a password setup-tool-failure-because-of-bouncy-castle-jar-files: setup tool failure because of Bouncy Castle JAR files bouncy-castle-libraries-are-not-removed-from-the-lib-directory: Bouncy Castle libraries are not removed from the lib directory. json-formatted-controls-rejected: JSON-formatted controls rejected fixed-an-issue-that-prevented-the-server-from-refreshing-monitor-data: Fixed an issue that prevented the server from refreshing monitor data fixed-the-status-tool: Fixed the status tool fixed-key-and-trust-store-pin-issues: Fixed key and trust store PIN issues updated-the-server-to-create-the-estokenizer-ping-file-if-it-does-not-exist: Updated the server to create the esTokenizer.ping file if it does not exist password-policies-using-virtual-attributes-are-now-correctly-applied: Password policies using virtual attributes are now correctly applied improved-string-representations-of-active-operations-and-persistent-searches: Improved string representations of active operations and persistent searches the-encode-password-tool-now-works-with-aes256-password-storage: The encode-password tool now works with AES256 password storage support-added-for-synchronizing-custom-attributes-defined-in-pingone-destinations: Support added for synchronizing custom attributes defined in PingOne destinations set-a-consistent-priority-index-when-adding-two-pingdatasync-servers-into-a-new-failover-topology: Set a consistent priority index when adding two PingDataSync servers into a new failover topology updated-the-sanitize-log-tool: Updated the sanitize-log tool improved-assured-replication-result-codes-for-conflicts: Improved assured replication result codes for conflicts fixed-password-policy-state-extended-operation: Fixed password policy state extended operation added-a-new-docker-command-line-tool: Added a new Docker command-line tool added-a-new-argument-for-manage-profile-generate-profile: Added a new argument for manage-profile generate-profile fixed-an-issue-with-server-privileges: Fixed an issue with server privileges improved-protections-around-the-dw-pwp-modifiable-state-json-operational-attribute: Improved protections around the dw-pwp-modifiable-state-json operational attribute fixed-a-backwards-compatibility-issue-with-the-migrate-ldap-schema-tool: Fixed a backwards compatibility issue with the migrate-ldap-schema tool removed-two-password-policies-for-non-password-users: Removed two password policies for non-password users updated-kafka-version: Updated Kafka version fixed-incorrect-index-skipping: Fixed incorrect index skipping updated-the-topology-registry-and-the-replace-certificate-tool: Updated the topology registry and the replace-certificate tool fixed-an-access-log-reporting-issue: Fixed an access log reporting issue added-support-for-json-formatted-request-and-response-controls: Added support for JSON-formatted request and response controls updated-the-server-bouncy-castle-cryptographic-library-versions: Updated the server Bouncy Castle cryptographic library versions added-support-for-generic-strings-in-access-and-error-log-messages: Added support for generic strings in access and error log messages updated-the-local-db-backend-to-disable-the-index-cursor-entry-limit-by-default: Updated the local DB backend to disable the index cursor entry limit by default fixed-gauge-alarm-issues: Fixed gauge alarm issues fixed-server-lockdown-issue-in-newly-initialized-databases: Fixed server lockdown issue in newly initialized databases updated-the-export-reversible-passwords-tool: Updated the export-reversible-passwords tool fixed-a-server-operation-rejection-issue: Fixed a server operation rejection issue fixed-a-replication-protocol-message-issue: Fixed a replication protocol message issue updated-to-ldap-sdk-version-6-0-5: Updated to LDAP SDK version 6.0.5 fixed-a-server-issue-causing-internal-errors-during-monitoring: Fixed a server issue causing internal errors during monitoring fixed-a-directory-rest-api-error-with-mismatched-time-syntax-attribute-values: Fixed a Directory REST API error with mismatched time syntax attribute values fixed-proxy-server-manage-profile-replace-profile-errors: Fixed Proxy server manage-profile replace-profile errors updated-jackson-databind-version: Updated Jackson Databind version updated-the-commons-codec-library: Updated the commons-codec library updated-the-google-guava-dependency-in-common-libraries: Updated the Google Guava dependency in common libraries updated-directory-rest-api-to-exclude-rdn-values-in-modify-requests: Updated Directory REST API to exclude RDN values in modify requests --- # PingDirectory suite of products 9.1.0.0 (June 2022) ## Added support to sanitize access logs to protect sensitive information New Log files can contain potentially contain sensitive or identifiable information that you might not necessarily want recorded in the clear. The server can now be configured to support sanitizing access logs as they are being written. It is available for any writer-based or JSON-formatted access log, and elements in the log message can either be sanitized, redacted, or omitted altogether. This includes the ability to genericize diagnostic messages written to the access or error log. For more information, see [Log sanitization](../pingdirectory_server_administration_guide/pd_ds_log_sanitization.html). ## Added support for processing JSON-formatted access logs New PingDirectory provides a robust logging system allowing for detailed analysis of the server's functioning. Included is support for creating log files written using JSON format. The `summarize-access-log` command, which is used to display several metrics about operations processed within the server, now supports processing JSON formatted access logs. ## Updated Directory REST API New The Directory REST API allows developers to create customized application for managing the entries in a directory instance. The Directory REST API now supports controls previously only available through LDAP calls. This includes the ability to do joins allowing for advanced data modeling of relationships. ## Added conflict error messages for replicated PingDirectory deployments New In deployments with replicating PingDirectory instances, conflicts can occur if the same entry is added to different servers at the same time. Many conflicts can be handled automatically and, in such cases, the server whose add attempt creates a conflict, now returns a `CONFLICT` result in the replication response control and LDAP result code. ## JSON-formatted access logger updated Improved DS-44507, DS-45243, DS-45530 Updated the JSON-formatted access logger to include the requester IP address in disconnect, security negotiation, and client certificate log messages when appropriate. ## PingDataSync Server supports PingOne as a sync destination Improved PingDataSync PingOne recently added support for multi-valued attributes. Now, using PingOne as a sync destination, multi-valued attributes can be synchronized as either a one-time data migration or as part of a continual real-time synchronization strategy. ## Synchronize data to custom attributes defined in the PingOne environment Improved PingDataSync When using PingOne as a sync destination, PingDataSync Server provides support for synchronizing data to custom attributes that are defined in the PingOne environment. This includes attributes defined as multi-valued or JSON in PingOne. ## Repeating cycle when resetting a password Issue PingDirectory | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If your password policy for an admin user (such as a topology administrator or rootDN) is set with `--set force-change-on-reset:true` or `--set force-change-on-add:true`, you cannot update that administrator's password without it being considered an administrator reset. | An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password. One recommendation to work around this issue is to not set these password policy attributes on administrator accounts that are stored in `cn=config`. If you do need `--set force-change-on-reset:true` or `--set force-change-on-add:true`, you must clear the `mustChangePassword` flag by running the following command each time you change the password: ```shell $ bin/manage-account set-must-change-password \ --mustChangePassword false \ --targetDN cn= ``` ## `setup` tool failure because of Bouncy Castle JAR files Issue The `setup` command might fail on Windows operating systems because of the presence of Bouncy Castle JAR files in the `lib` directory that begin with `bc`. The JAR files are mentioned in an error message similar to the following: `An unexpected error occurred while attempting to copy the non-FIPS Bouncy Castle jar file into the server's classpath: FileSystemException: lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it is being used by another process`. A temporary workaround is to delete the JAR files that begin with `bc` from the `lib` directory before attempting to run `setup` again. ## Bouncy Castle libraries are not removed from the `lib` directory. Issue DS-46007 If you update an existing installation to the 9.1 release of the server and then subsequently want to revert that update, Bouncy Castle libraries from the 9.1 release might not be properly removed from the `lib` directory, resulting in both the older and newer versions of the library being in the `lib` directory. This should not cause any problems with the server, but it might result in warning messages in the server's error log about different versions of the same JAR file in the classpath (for example, `The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bc-fips-1.0.2.1.jar, bc-fips-1.0.2.3.jar` and `The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bctls-fips-1.0.11.4.jar, bctls-fips-1.0.13.jar`). This message can be safely ignored. You can eliminate this warning by stopping the server and manually removing the newer versions of the jar files referenced in the warning message. ## JSON-formatted controls rejected Issue DS-46016 PingDirectory, PingDirectoryProxy JSON-formatted join request controls with their criticality set to `false` are rejected as if their criticality were `true` by non-search requests. ## Fixed an issue that prevented the server from refreshing monitor data Fixed DS-41468 Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced. For information on log sanitization, see [Log sanitization](../pingdirectory_server_administration_guide/pd_ds_log_sanitization.html). ## Fixed the `status` tool Fixed DS-44481 The `status` tool now shows the current `collect-support-data` version. ## Fixed key and trust store PIN issues Fixed DS-45336 Fixed issues that prevented obtaining key and trust store PINs with the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers. ## Updated the server to create the `esTokenizer.ping` file if it does not exist Fixed DS-45449 PingDirectory Updated the server to create the `esTokenizer.ping` file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes. ## Password policies using virtual attributes are now correctly applied Fixed DS-45466 PingDirectory Fixed an issue where password policies specified using a virtual attribute were sometimes not correctly applied to users. ## Improved string representations of active operations and persistent searches Fixed DS-45485 PingDirectory, PingDirectoryProxy Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the UnboundID LDAP SDK for Java. ## The `encode-password` tool now works with AES256 password storage Fixed DS-45546 PingDirectory Fixed an issue that caused the `encode-password` tool to fail when the AES256 password storage scheme is enabled. ## Support added for synchronizing custom attributes defined in PingOne destinations Fixed DS-36184, DS-45125 PingDataSync Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment. ## Set a consistent priority index when adding two PingDataSync servers into a new failover topology Fixed DS-45123 PingDataSync Updated the `manage-topology add-server` command to set a consistent priority index when adding two PingDataSync servers into a new failover topology. The server listed as the remote server in the command-line arguments is given the higher priority index, which results in an overall lower priority compared to the other server. ## Updated the `sanitize-log` tool Fixed DS-16236 PingDirectory Updated the `sanitize-log` tool to better align with the server's support for sanitizing log messages as they are logged. Changes include: * It is preconfigured with default behaviors for an expanded set of log fields. * It can be configured to suppress the default log field behavior configuration and only explicitly specified configuration. * It offers support for additional sanitization options, including omitting fields and differentiating between values should be redacted or tokenized in their entirety or by components. * It now uses syntax-aware redaction and tokenization. * It offers support for specifying a default behavior to use on a per-syntax basis. * It can obtain its settings from a log field behavior definition in the server configuration. ## Improved assured replication result codes for conflicts Improved DS-42302 PingDirectory Added support for improved assured replication result codes when replication conflicts occur. For `processed` assured levels, for each replica that has a replication conflict resulting in an alternate distinguished name (DN) being updated, a `CONFLICT` result will be returned. If any such conflicts are detected, a result code of 68 (ENTRY\_ALREADY\_EXISTS) will be returned. ## Fixed password policy state extended operation Fixed DS-44667 PingDirectory Fixed an issue in which the password policy state extended operation could be used to create duplicate authentication failure time or grace login use time values. ## Added a new Docker command-line tool Improved DS-45147 PingDirectory, PingDataSync, PingDirectoryProxy Added a `docker-pre-start-config` command-line tool for PingData Docker containers. Use the tool before the server is started to make configuration changes to the server that depend on the running container's environment. ## Added a new argument for `manage-profile generate-profile` Improved DS-45163 Added a `--excludeSetupArguments` argument for the `manage-profile generate-profile` command. Added a `--skipValidation` argument for the `manage-profile replace-profile` command. This argument allows skipping the final server validation step when running on an offline server and allows generating a server profile that does not include a setup-arguments.txt file. Updated the setup and `replace-profile` subcommands to fail when a server profile includes an `encryption-settings-db` file in the profile's *\*`/pre-setup/` directory. ## Fixed an issue with server privileges Fixed DS-45250 Directory Server privileges that are assigned through virtual attributes now apply consistently when accessing topology-related features through the administrative console. ## Improved protections around the `dw-pwp-modifiable-state-json` operational attribute Improved DS-45255, DS-45504, DS-45505 PingDirectory Updated the server to protect against attempts to modify the `ds-pwp-modifiable-state-json` operational attribute without the Modifiable Password Policy State plugin enabled. The plugin is disabled by default, and the server would previously allow writes to that attribute with the plugin disabled, but those writes would just pollute the entry and have no effect on its password policy state. The server now only allows updates to `ds-pwp-modifiable-state-json` if the Modifiable Password Policy State plugin is enabled. Similarly, the server also rejects attempts to add entries that contain the `ds-pwp-modifiable-state-json` operational attribute, even with the Modifiable Password Policy State plugin disabled. Writes to this attribute are only supported for `modify` operations, and the server would properly reject `add` attempts targeting that attribute if the plugin had been enabled but would not reject those attempts if the plugin were disabled. The server now also prohibits administrators from using the `ds-pwp-modifiable-state-json` operational attribute to update their own password policy state, and it prohibits attempts to update `ds-pwp-modifiable-state-json` operational attribute in an another user's entry in the same `modify` request that also resets that user's password. The former restriction prevents certain kinds of changes that could allow an administrator to exempt themselves from certain password policy restrictions while the latter protects against potential conflicts that could arise from two modifications in the same request that attempt to alter a user's password policy state. ## Fixed a backwards compatibility issue with the `migrate-ldap-schema` tool Fixed DS-45322 PingDirectory A former version of the tool allowed the `--useSSL` argument to indicate that SSL should be used to secure communication with both servers, whereas a newer version did not allow that argument but instead required both `--sourceUseSSL` and `--targetUseSSL`. Similarly, support for the `--useStartTLS` argument was inadvertently dropped, requiring both `--sourceUseStartTLS` and `--targetUseStartTLS`. The legacy arguments have been restored. ## Removed two password policies for non-password users Fixed DS-45439, SF:00741269 PingDirectory Minimum and maximum age password policies are no longer applied for users without a password. ## Updated Kafka version Security DS-45462 Updated PingDirectory products to use Kafka 2.8.1, which resolves. ## Fixed incorrect index skipping Fixed DS-45470 PingDirectory Fixed an issue in which the server could incorrectly skip certain indexes when evaluating search criteria. In cases where the server can determine where the results from one index should already be encompassed by results from another index that is already in use for the search, it ignores the redundant index. However, there were cases in which an index would be ignored even if the already-in-use index was not actually suitable for that search (for example, because its index entry limit had been exceeded). ## Updated the topology registry and the `replace-certificate` tool Improved DS-45480, DS-45636 Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server's certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry. Made the following updates to the `replace-certificate` tool: * Added new `list-topology-registry-listener-certificates` and `list-topology-registry-inter-server-certificates` subcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry. * Added a new `add-topology-registry-listener-certificate` subcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it can be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server. * Updated the `replace-certificate replace-listener-certificate` subcommand to add `--topology-registry-update-type` and `--trust-store-update-type` arguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options suppressing the update, only adding the listener certificate itself, only adding the listener certificate's issuers, or adding both the listener certificate and its issuers. * Updated the `replace-certificate replace-listener-certificate` subcommand to add an `--ignore-current-listener-certificate-validity-window` argument that allows the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced. ## Fixed an access log reporting issue Fixed DS-45487 PingDirectory Fixed an issue where access logs incorrectly reported negative processing times for certain operations. ## Added support for JSON-formatted request and response controls Improved DS-45494 PingDirectory, PingDirectoryProxy Most existing controls have been updated to support an alternative JSON encoding, which might make it easier to use certain controls in clients written with APIs that do not provide direct support for those controls. ## Updated the server Bouncy Castle cryptographic library versions Security DS-45503 Updated the server to use the latest versions of the FIPS 140-2-compliant and non-FIPS-compliant Bouncy Castle cryptographic libraries. ## Added support for generic strings in access and error log messages Improved DS-45541, DS-45542 Updated the text-formatted and JSON-formatted access and error loggers to provide an option to use generic versions of strings in log messages. If enabled, error messages, additional log info messages, disconnect reasons, and authentication failure reasons will use a string with placeholders instead of context-specific values that could potentially include identifiable or sensitive information. ## Updated the local DB backend to disable the index cursor entry limit by default Improved DS-45564 PingDirectory This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes. In the unlikely event that this limit is actually needed in a directory environment, it can still be activated by setting the `com.unboundid.directory.server.backends.jeb.AttributeIndex.cursorEntryLimit` system property to the desired value. ## Fixed gauge alarm issues Fixed DS-45578 PingDirectory, PingDirectoryProxy, PingDataSync Fixed issues where gauges could raise an alarm and create an alert, but not create an alert when that same alarm was later cleared, making it unclear when the reported condition had abated. ## Fixed server lockdown issue in newly initialized databases Fixed DS-45582 PingDirectory Fixed an issue where a server with a newly initialized database (through `dsreplication initialize`) could go into lockdown mode and report that the server `…​may have missed one or more update(s).` if the source server is in the pre-external-initialize state. This generally occurred only if the initialized server was restarted right after initialization completed. ## Updated the `export-reversible-passwords` tool Fixed DS-45600 PingDirectory Updated the `export-reversible-passwords` tool to fix a potential issue in which the tool could encounter a timeout while waiting for the response from the server. Updated the export reversible passwords extended operation handler to provide support for canceling an export that is in progress. If the export-reversible-passwords tool is terminated, or if the associated extended operation is abandoned or canceled, then the export process now stops processing. Previously, it ignored the cancel request and continued processing the export until all entries in the backend had been examined. ## Fixed a server operation rejection issue Fixed DS-45767 PingDirectory Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control's criticality. It continues to reject the operation if the disallowed control has a criticality of `true`, but if the criticality is `false`, the server continues processing the operation as if that control had not been requested. ## Fixed a replication protocol message issue Fixed DS-45714, SF:00753519 PingDirectory Fixed an issue that allowed replication protocol messages to be dropped. ## Updated to LDAP SDK version 6.0.5 Fixed DS-45746 PingDirectory Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality. ## Fixed a server issue causing internal errors during monitoring Fixed DS-45786 PingDirectory Fixed a PingDirectory server issue that could cause an internal error to be logged while monitoring database statistics for read-only backends. ## Fixed a Directory REST API error with mismatched time syntax attribute values Fixed DS-45788 PingDirectory Fixed an issue where the Directory REST API returns an HTTP 500 error response when trying to retrieve a System for Cross-domain Identity Management (SCIM) entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format `YYYYMMDDhhmmssZ`. ## Fixed Proxy server `manage-profile replace-profile` errors Fixed DS-45798 PingDirectoryProxy In PingDirectoryProxy Server, `manage-profile replace-profile` sometimes failed with an error similar to the following: ``` The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other) ... ``` This fix ensures that the configuration is loaded before the merge that the error message refers to. ## Updated Jackson Databind version Security DS-45806 Updated Jackson Databind to 2.13.3. ## Updated the commons-codec library Security DS-45898 Updated the commons-codec library to version 1.13. ## Updated the Google Guava dependency in common libraries Security DS-45903 Updated the Google Guava dependency in common libraries. ## Updated Directory REST API to exclude RDN values in modify requests Improved DS-45948 PingDirectory The Directory REST API no longer includes RDN values in `modify` requests to update the DN of an entry, because RDN values are updated by default in modify DN requests.