PingDirectory

Release Notes

Unless otherwise noted, all of the following enhancements, known issues, and resolved issues apply to the PingDirectory server, the PingDataSync server, the PingDirectoryProxy server, and the PingDataMetrics server. Updated August 30, 2024.

PingDirectory suite of products 9.3.0.6 (August 2024)

Increased replication speed

Improved DS-48826 PingDirectory

Increased throughput for replicated operations.

Fixed an issue with syncing modified PingOne attributes

Fixed DS-48669 PingDataSync

Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only resulted in changed attributes not being properly synced over.

Supplied missing replication error information

Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where dsreplication enable didn’t print error information if the tool failed to establish a connection to a source or target server.

Fixed an error message in the Delegated Admin report

Fixed DS-48774 PingDirectory, PingDirectoryProxy

Removed a stack trace from the error message returned when generating a Delegated Admin report with an invalid SCIM filter.

Fixed an issue with inconsistent entryUUID values across servers

Fixed DS-48678, DS-48720 PingDirectory

Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID values for the same entry on different servers.

Fixed an issue with VLV indexes and extensible match filters

Fixed DS-48026 PingDirectory

Fixed an issue that could prevent the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch or relativeTimeExtensibleMatch matching rules.

PingDirectory suite of products 9.3.0.5 (March 2024)

Added logging history for the setup tool

Improved DS-47831 PingDirectory

A copy of the setup script output is now saved to an archive file in the /history directory. This should help with troubleshooting installations where multiple server images have been extracted on top of each other and setup has been run multiple times.

Fixed a NullPointerException caused by an unconfigured alert handler

Fixed DS-47455 PingDirectory, PingDirectoryProxy, PingDataSync, PingDataMetrics

Fixed an issue where a NullPointerException was thrown when an alert or alarm was raised and one or more of the alert handlers weren’t configured. This most commonly happened when the server was being stopped.

Now, instead of throwing a NullPointerException, the server logs this message: Alert notification '<notification>' will not be processed by alert handler '<alert_handler>' since that alert handler does not have configuration.

Fixed an encoding issue with UTF-8 in URI search filters

Fixed DS-48300 PingDirectory, PingDataSync

Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.

Fixed an issue with attribute duplication

Fixed DS-48585 PingDirectory

Fixed an issue where replace operations that target attributes with subordinate types would cause the subordinate attribute values to be duplicated.

Fixed an issue where the server could throw a DATABASE_LOCK_CONFLICT error

Fixed DS-45949 PingDirectory

Fixed an issue where aborting a transaction on a PingDirectory server could sometimes fail to release a write-lock, causing all subsequent transactions to fail with the error DATABASE_LOCK_CONFLICT until the server was restarted.

Fixed a potential NullPointerException during replication

Fixed DS-47289 PingDirectory

Fixed a potential NullPointerException that the server could throw during replication if missing changes were found for a replica, but that replica didn’t exist on all servers. This scenario can happen when an obsolete replica is purged concurrent to the check for missing changes.

Fixed a replication issue where a suffix could have multiple generation IDs

Fixed DS-47695 PingDirectory

The generation ID, represented by ds-sync-generation-id, is a value used by replication to determine if replicas are compatible and can be replicated. To address the issue of multiple generation IDs for the same suffix, the generation ID is now calculated independent of the disk order in which the entries are stored. This new behavior is helpful when entries are imported on new servers instead of initializing them.

Fixed an issue with dsreplication status information

Fixed DS-47326 PingDirectory

Fixed an issue where running the dsreplication status --displayservertable command sometimes failed to display peer server statuses or generation IDs.

Fixed the default behavior of check-replication-domains

Fixed DS-47655 PingDirectory

Changed the check-replication-domains tool to default to the server’s root directory and removed the --serverRoot argument requirement.

Fixed an incorrect suggestion in the replication terminal output

Fixed DS-47878 PingDirectory

Fixed a problem where dsreplication initialize suggested using the --force option if you were unable to connect to the server properly.

Fixed an issue that prevented use of the Changelog Password Encryption plugin in replicated environments

Fixed DS-48205 PingDirectory

Fixed an issue where the Changelog Password Encryption plugin would not work properly in a replicated environment if a password was changed with a Password Modify extended operation.

Fixed an issue with error logging

Fixed DS-48084 PingDirectory

Fixed an issue where a cn=config does not exist error message would appear in the error logs after navigating to the status page of the administrative console.

Fixed an issue with backend availability reporting

Fixed DS-48040 PingDirectoryProxy

Fixed an issue where PingDirectoryProxy wouldn’t accurately report the availability of backends added through automatic backend discovery.

PingDirectory suite of products 9.3.0.4 (January 2024)

Fixed a memory issue introduced in 9.3.0.2 that could have caused the server to crash

Fixed DS-48599 PingDirectory

We fixed an uncommon issue that was causing memory usage to spike, possibly crashing the PingDirectory server.

With this issue present, when clients performed atypical modify operations, they might have populated entries with duplicate attribute values. If clients repeated these modifications, over time, the duplicate attribute values could have caused the server to consume a substantial amount of memory, which might have eventually caused the server to shut down with an out-of-memory error.

PingDirectory suite of products 9.3.0.3 (November 2023)

Faster server backup and recovery

Improved DS-45157 PingDirectory

We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.

PingDirectory suite of products 9.3.0.2 (October 2023)

Fixed an issue with replace modifications

Fixed DS-47975 PingDirectory

Fixed an issue that could prevent replace modifications for attribute types with subordinate types (for example, postalAddress) from being properly applied.

Fixed an issue that affects password policies stored outside the server configuration

Fixed DS-43034, DS-47832 PingDirectory

Fixed a regression that was introduced in the 9.3.0.0 release while making changes to allow additional values for the allow-pre-encoded-passwords property in the password policy configuration. The issue only affects password policies stored outside of the server configuration in local DB backends, and only those policies that include the ds-cfg-allow-pre-encoded-passwords attribute.

As part of the change to allow additional values for the allow-pre-encoded-passwords configuration property, we changed the syntax for the underlying attribute type from Boolean to directory string. When storing values for Boolean attributes in entries that reside in local DB backends, the server may compact the value to reduce the amount of space to store the data on disk and in memory. When the syntax for the attribute type was changed, the server no longer recognized that the value was compacted, which prevented it from properly interpreting that value.

This fix allows the server to recognize and properly interpret compacted values for the ds-cfg-allow-pre-encoded-passwords attribute when parsing a password policy definition contained in a local DB backend. Note that when the password policy entry is retrieved, the attribute may still appear to have a corrupt value, as the value that is actually stored in the entry would still represent the compacted token rather than the logically equivalent Boolean value. Replacing the value of the ds-cfg-allow-pre-encoded-passwords attribute in affected entries with the appropriate value is the best way to address that.

Made improvements to the Configuration API

Fixed DS-47790 PingDirectory

The Configuration API no longer treats patch operations with empty arrays as invalid. Instead, it now resets configuration attributes for replace operations with an empty array and ignores add operations with an empty array.

Fixed an issue with the remove-defunct-server command

Fixed DS-47784 PingDirectory

Fixed an issue with running remove-defunct-server against servers configured with an AES256 password storage scheme where encryption settings were not initialized before initializing password policy components.

Fixed an issue with processing search operations

Fixed DS-47585 PingDirectory

Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. Previously, the server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys (for example, when evaluating a range or substring filter component that could match a very large number of entries), the allowed time limit could be exceeded in that portion of the processing.

Fixed an issue that caused a null pointer exception to be thrown

Fixed DS-45527 PingDataSync

Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

Improved Active Directory Sync sources

Improved DS-46635 PingDataSync

For Active Directory Sync sources, when setting the startpoint to the end-of-changelog, extraneous data is no longer sent from the Active Directory server to the Sync server. With this change, setting the startpoint to end-of-changelog should be faster, particularly for slow networks.

Fixed an issue when enabling or disabling a user in PingOne

Fixed DS-47905 PingDataSync

Resolved an issue with synchronizing the enabled attribute of a user in a PingOne destination. This issue only occurred when attempting to enable or disable a user in PingOne from the source server.

To create an attribute mapping that will modify the enabled status of a user in PingOne, use the dsconfig tool to create a constructed attribute mapping of the following form. This will ensure that enabled will always have a well-defined value, even if the source attribute is not present on an entry in the source server.

dsconfig create-attribute-mapping --type constructed --map-name mapName --mapping-name enabled --set conditional-value-pattern:'(sourceAttribute=*) : {sourceAttribute}' --set conditional-value-pattern:'(!(sourceAttribute=*)) : true'

PingDirectory suite of products 9.3.0.1 (August 2023)

Fixed a security issue

Security DS-47632 PingDirectory

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported versions of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.

PingDirectory suite of products 9.3.0.0 (June 2023)

What’s new in the PingDirectory 9.3 suite of products?

New DS-46779

PingDirectory
  • When dealing with server security, some customers require the ability to separate control of encryption settings from the typical directory administrator. In this release, several features have to added to restrict and/or revoking access to the encryption settings configuration with the ability to lock the encryption settings database with a password and by using a new monitor provider for the cipher stream provider itself. Several restrictions can be configured including the ability to prevent turning off data encryption, preventing changes to the cipher stream provider, preventing exportation of the encryption settings database and preventing access to the encrypt-file tool to decrypt files. Also, administrators can now set up a new PingDirectory instance with a pre-existing encryption settings database using the manage-profile command.

  • PingDirectory has previously allowed user entries to authenticate via pass-thru authentication to other systems such as Active Directory or PingOne. There has been a limit, however, to just one pass-thru authentication plugin. A new aggregate pass-thru authentication handler has been added to version 9.3 allowing for multiple, subordinate authentication plugins each with their own criteria to identify authentication requests to be processed. The configuration order will be used to determine the priority of the plugins. Different failure types can be configured that allow a failure in one subordinate handler to continue process in another handler.

  • PingDirectory provides several application interfaces (APIs) for creating efficient and powerful client applications for managing the data store. The Directory REST API has been enhanced to support specific LDAP extended operations. These include the Password Modify, Generate Password and Get Password Quality Requirements extended operations. Since JSON-format controls were recently supported in Directory REST API, all supported controls can be implemented with these extended operations as well. The Change Password extended operation allows user to modify their own password or another user’s (with proper permissions, of course). The Suggest Password extended operation will generate a list of potential passwords and provides details on if they would be valid under certain policies and the Password Requirements extended operation returns a comprehensive list of password quality requirements for a given user/policy if a certain operation is performed.

  • Several improvements to the dsreplication command will increase the performance when enabling replication and for retrieving the current status of the topology.

PingDataSync

The configuration of sync pipes continues to be a sticking point for customers as the process can be quite difficult. Currently these are created using dsconfig, the admin console or the configuration API. There are OOTB dsconfig script files provided for creating a PingOne source and/or destination server. New OOTB scripts and documentation have been created specifically for bi-directional syncs between Active Directory and PingDirectory, a reference script for syncing from Active Directory to SCIMv2 and when using Kafka as a sync destination. These scripts include the necessary steps and documentation detailing how to customize these steps for a customer’s environment.

Added the cache-duration property

Critical DS-47166 PingDirectory

Added property cache-duration to allow optional caching of key managers retrieved by a PKCS11 Key Manager Provider.

Added additional values for the allow-pre-encoded-passwords property

New DS-43034 PingDirectory

Added support for additional values for the allow-pre-encoded-passwords property in the password policy configuration. Previously, the value for this property could be either "false" or "true," but it can now be any of the following:

  • false: Do not allow pre-encoded passwords to be provided in add requests, self password changes, or administrative password resets. This remains the default setting, and the behavior with this value remains the same.

  • true: Allow pre-encoded passwords to be provided in add requests, self password changes, or administrative password resets. The behavior with this value remains the same.

  • add-only: Allow pre-encoded passwords to be provided in add requests, but not in self password changes or administrative password resets.

  • admin-reset-only: Allow pre-encoded passwords to be provided in administrative password resets, but not in add requests or self password changes.

  • add-and-admin-reset-only: Allow pre-encoded passwords to be provided in add requests or administrative password resets, but not in self password changes.

The new values can be used to allow administrators to set pre-encoded passwords without allowing end users to do so for their own accounts. Allowing pre-encoded passwords for self password changes introduces the potential for several security risks, including permitting users to password validation, password expiration, and password history constraints; permitting users to use weakly encoded passwords; or allowing users to use passwords that are encoded so strongly that it could cause excessive resource consumption in the server.

Added account status notification types

New DS-43714, DS-46355 PingDirectory

Added an account-authenticated account status notification type that can be used to notify users or administrators when an account has successfully authenticated with a bind request that matches a specified set of criteria.

Added an account-deleted account status notification type that can be used to notify users or administrators when an account has been removed with a delete request that matches a specified set of criteria.

Added support for a successful bind result criteria that can be used to classify successful bind operations based on the resulting authentication identity.

Added a UTF-8 password validator

New DS-44536 PingDirectory

Added a UTF-8 password validator that can be used to ensure that only valid UTF-8 strings can be used as passwords. Passwords can optionally be limited to only ASCII characters, and you can specify which Unicode character classes (for example, letters, numbers, punctuation, symbols, spaces, etc.) should be allowed.

Added the --showPartialBacklog option to dsreplication status

New DS-44898 PingDirectory

Added the --showPartialBacklog option to dsreplication status to display information about the replica-partial-backlog attribute.

Added configuration properties to the Config File Handler backend

New DS-45254, DS-47110, DS-47401

Added the configuration property insignificant-config-archive-base-dn to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under the specified base DN(s).

If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration will be added to the configuration archive, but that archived configuration file can be removed after the next configuration change.

By default, this property will apply to the topology registry subtree.

Added pass-through authentication handlers

New DS-45263 PingDirectory

Added an aggregate pass-through authentication handler that makes it possible to have multiple types of pass-through authentication enabled in the server at the same time.

Added a PingOne pass-through authentication handler that can be used to authenticate to the PingOne service. This handler provides the same functionality as the standalone PingOne pass-through authentication plugin, but it can be used with the aggregate pass-through authentication handler to support pass-through authentication to PingOne in conjunction with other types of services.

Added a replication-missing-changes-risk alert

New DS-46198 PingDirectory

A replication-missing-changes-risk alert is now raised during replication server connections if the backlog is within a configurable percent of the purge delay. By default, the new missing-changes-alert-threshold-percent replication server configuration parameter is set to 80%.

Added new properties to the Config File Handler Backend

New DS-46334 PingDirectory, PingDirectoryProxy, PingDataSync

Added two new properties to the Config File Handler Backend for managing the config archive and limiting its impact on server performance.

The first property is maintain-config-archive, which controls whether or not changes to the config backend are recorded in the config archive. Existing records in the archive are unaffected by changes to this property.

The second property is max-config-archive-size, which limits the number of config files that will be maintained by the archive. When a new file is added to the archive, if the resulting number of files exceeds the value of this property, then the oldest files will be deleted from the archive until the total is equal to the configured value.

Added a property that lets you control servlet information

New DS-46565

Added the include-servlet-information-in-error-pages configuration property to give you control over whether servlet information gets printed on HTTP error pages or remains hidden (by default).

Added support for encrypted PKCS #8 private key PEM files

New DS-46654 PingDirectory, PingDirectoryProxy, PingDataSync

When setting up the server with a private key read from a PEM file, or when using manage-certificates to import a certificate chain and private key from PEM files, that private key PEM file can now contain an encrypted private key, and you can specify the password needed to decrypt it. When using manage-certificates to export a private key, you can now specify a password to use to encrypt the key.

Added caching logic

New DS-46664 PingDirectory

Addressed a performance issue when adding new directory servers to large replicated topologies spanning multiple geographic locations.

Added support for syncing booean-valued attributes

New DS-46826 PingDataSync

Added support for syncing Boolean-valued attributes for PingOne destinations.

Added support for restricting administrators' access to encrypted data

New DS-46908, DS-46911, DS-46912, DS-46913, DS-46931, DS-46933, DS-46934, DS-46936, DS-46937

Updated the server to support a separation of duties between those responsible for administering the server itself and those responsible for managing the encryption settings definitions used for data encryption. This is implemented through a combination of four new capabilities that were added:

  • The ability to configure data encryption restrictions that can impose limitations around the administration of data encryption and access to decrypted data, including the ability to disable encryption, to change the cipher stream provider used to protect the encryption settings database, the ability to create backups or LDIF exports that are unencrypted or encrypted with a passphrase instead of an encryption settings definition, and the ability to use the encrypt-file tool to decrypt files.

  • The ability to freeze the encryption settings database with a specified password. While it is frozen, the encryption settings database will operate in read-only mode so that it is not possible to create or remove definitions, change the preferred definition, or alter the set of active data encryption restrictions. The database can only be unfrozen with the password that was initially used to freeze it.

  • The ability to set up the server with a pre-existing encryption settings database. This is best done with the manage-profile setup command using a server profile that uses --encryptDataWithPreExistingEncryptionSettingsDatabase in the setup-arguments.txt file, that includes one or more batch files in the pre-setup-dsconfig directory with changes to configure and active the associated cipher stream provider, and that includes the encryption settings database and any metadata files needed by the cipher stream provider in the appropriate locations below the server-root/pre-setup directory.

  • Support for a new monitor provider that can periodically ensure that the encryption settings database can be read without relying on any caching that the cipher stream provider might be using to improve performance and reliability. After a prolonged outage, it can also optionally shut down the server or force it into lockdown mode as a way of preventing or limiting access to encrypted data. This can be used as a way of revoking access to encrypted data in the event that those responsible for managing encryption settings definitions deem it necessary by removing or disabling an external element (for example, an external KMS encryption key or a secret read from a password vault) that the cipher stream provider depends on for access to the encryption settings database.

Added a disallowed characters password validator

New DS-47262 PingDirectory

The validator can be used to reject proposed passwords that contain any of a specified set of characters. It can be configured with characters that cannot appear anywhere in a password, as well as with characters that are disallowed only at the beginning or end of a password.

Added a replication-not-purging-obsolete-replicas alert

New DS-47366 PingDirectory

A replication-not-purging-obsolete-replicas alert will be raised at server startup if a replication server is not configured to purge obsolete replicas. It is recommended that replication servers always be configured to do so.

Added a check-replication-domains tool

New DS-47373 PingDirectory

Added a check-replication-domains tool to check the current list of known replication domains and indicate whether any obsolete domains are present. Learn more about Discovering obsolete replicas.

Improved error handling for LDAP external servers

Improved DS-43614 PingDirectoryProxy

Improved error handling for LDAP external servers that are configured with an authorization-method value of rebind. If the bind attempt fails in a way that indicates that the connection is no longer valid, the PingDirectoryProxy server might now attempt the rebind in a different server or on a newly recreated connection.

Updated the collect-support-data administrative task

Improved DS-44534

Updated the collect-support-data administrative task to allow specifying the start and end times for the range of log messages to include in the support data archive.

Updated the LDAP connection handler

Improved DS-45221

Updated the LDAP connection handler so that changes to the set of enabled TLS protocols and cipher suites take effect immediately and will be used for any new LDAPS or LDAP+StartTLS connections that are established after the change is made. This applies for changes made directly in the connection handler configuration, and if the connection handler is not configured with an explicit set of TLS protocols or cipher suites, then it also applies to changes made in the crypto manager configuration.

A restart is still required to apply TLS protocol or cipher suite changes to other types of connection handlers, as well as for replication.

Updated the modifiable password policy state plugin

Improved DS-45506 PingDirectory

Updated the modifiable password policy state plugin to allow the ds-pwp-modifiable-state-json attribute to be included in add requests for the purpose of specifying certain elements of the new account’s password policy state.

Updated setup to encrypt the tools.pin file in certain situations

Improved DS-46379

Updated setup so that if it is configured to write a tools.pin file containing the default bind password to supply when running command-line tools, and if it is also configured to enable data encryption in the server, then it will encrypt the contents of that tools.pin file.

Improved how a backup of the config backend is handled

Improved DS-46467

If during a backup of the config backend, a file is deleted from the config/archived-configs directory, that deleted file will now be ignored instead of causing the backup to fail.

Improved password modify extended requests

Improved DS-46487 PingDirectory

Updated the server to allow password modify extended requests to include a proxied authorization request control.

Updated the pass-through authentication handler

Improved DS-46511 PingDirectory

Updated the pass-through authentication handler configuration to make it possible to configure each handler with an optional set of connection criteria, request criteria, and included local entry base DNs. When using the aggregate pass-through authentication handler, this makes it easier to indicate which handler should be used for a given bind operation.

Updated the replace-certificate tool

Improved DS-46653 PingDirectory

Updated the replace-certificate tool to support obtaining the source certificate chain and private key from PEM-formatted or DER-formatted files when replacing a listener or inter-server certificate. This is an alternative to requiring the new certificate to be provided in a key store.

Updated the Directory REST API with a new method for changing passwords

Improved DS-46816 PingDirectory

Updated the Directory REST API to add support for a means of changing passwords that is analogous to the LDAP password modify extended operation.

Updated the Directory REST API to suggest user passwords

Improved DS-46818 PingDirectory

Updated the Directory REST API to add support for a means of suggesting one or more new passwords for a user. This is analogous to the LDAP generate password extended operation.

Updated the Directory REST API for obtaining password quality requirements

Improved DS-46823 PingDirectory

Updated the Directory REST API to add support for a means of getting the requirements that a password will be required to satisfy for an add, self password modify, or administrative password reset operation. This is analogous to the LDAP get password quality requirements extended operation.

Improved the response time of dsreplication enable command

Improved DS-46906 PingDirectory

Improved the response time of dsreplication enable command on large topologies with more than 20 servers.

Improved data encryption

Improved DS-46908, DS-46911, DS-46912, DS-46913, DS-46931, DS-46933, DS-46934, DS-46936, DS-46937

The following data encryption improvements were made:

  • We updated the encryption-settings create command to make it possible to specify the PBKDF2 iteration count that should be used when deriving the encryption key for the definition.

  • We updated most cipher stream providers to make it possible to specify the PBKDF2 iteration count that should be used when deriving the encryption key used to protect the encryption settings database, and to use a higher default value.

  • We updated the file-based cipher stream provider to support being configured with a metadata file that allows it to use stronger encryption for protecting the encryption settings database than when no metadata file is configured. A metadata file will automatically be configured when enabling data encryption during setup when not using a pre-existing encryption settings database.

  • We improved encryption strength for encryption settings exports, backups, LDIF exports, log files and other file encryption, preferring 256-bit AES over 128-bit when available, and using a higher PBKDF2 iteration count to derive the key.

  • We improved file encryption performance in the common case of using an encryption settings definition instead of a passphrase.

  • We updated the encryption settings backend to provide additional information about each encryption settings definition, and updated the base entry for that backend to indicate if the encryption settings database is frozen or configured with any data encryption restrictions.

Improved performance of dsreplication command

Improved DS-47083, DS-47084 PingDirectory

Improved performance of dsreplication commands in topologies with a large number of PingDirectory servers and/or high network latency.

Improved dsreplication command response time

Improved DS-47104 PingDirectory

Improved response time of dsreplication command.

Improved various timeouts for replication enable and remove defunct server operations

Improved DS-47144 PingDirectory, PingDirectoryProxy, PingDataSync

Improved various timeouts for replication enable and remove defunct server operations to scale with the size of the topology. Smaller sized topologies should not be impacted by these changes.

Updated the server’s behavior when authenticating a client connection

Improved DS-47155 PingDirectory, PingDirectoryProxy

Updated the server’s behavior when it is configured to attempt to automatically authenticate a client connection using a certificate chain presented during TLS negotiation. Previously, if the client presented a certificate chain that could not be used to successfully authenticate the client, the server would have allowed the connection to remain established in an unauthenticated state, which could cause problems with applications that expect the connection to be authenticated. It will now terminate the client connection and log a disconnect message with details about the authentication failure.

Improved the server’s support for UTF-8 password strings

Improved DS-47167 PingDirectory

Improved the server’s support for passwords provided as UTF-8 strings containing non-ASCII characters with multiple Unicode representations. Previously, bind attempts with such a password would only succeed if the request included the password with exactly the same sequence of bytes used at the time the password was set. Now, the bind might also be able to succeed when the provided password contains the same logical set of characters but using a different Unicode normalization form.

Updated replace-certificate replace-inter-server-certificate

Improved DS-47345

Updated replace-certificate replace-inter-server-certificate to prevent using a certificate with an RSA key size greater than 3072 bits. It previously only required a minimum key size of 2048 bits without imposing a maximum size limit, but some of the cryptographic processing performed during inter-server authentication fails when using certificates with key sizes larger than 3072 bits.

Fixed an issue with updating password policy state information

Fixed DS-47440 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue that could interfere with the server’s ability to update password policy state information while processing a bind operation using pass-through authentication.

For service accounts that use password storage schemes with high computational processing costs, such as PBKDF2, the server could process bind requests significantly slower.

You should create a separate password policy for your service account, choose a less process-intensive password storage scheme, such as SSHA256, and set a very strong password according to NIST guidelines. Learn more in the Upgrade considerations.

Fixed an issue in the pluggable pass-through authentication plugin

Fixed DS-46544 PingDirectory

Fixed an issue in the pluggable pass-through authentication plugin that could prevent it from continuing with a local bind attempt if try-local-bind is false but the configured handler reports that the target user does not exist in the external service.

Fixed an issue when processing a modify operation

Fixed DS-45335 PingDirectory

Fixed an issue that could arise when processing a modify operation that contains a replace modification in which the attribute description has an attribute type and does not have any attribute options. If the target entry contained any attributes with the same attribute type but that also had one or more attribute options, then those attributes would have been incorrectly removed from the entry.

Fixed the server’s handling for subtree searches

Fixed DS-46178 PingDirectory

Fixed an issue with the server’s handling for subtree searches with an empty base DN. The server correctly returned entries from top-level backends (that is, backends whose base DNs were server naming contexts) but failed to return entries from subordinate backends.

Fixed an issue that prevented search result entry messages from being logged

Fixed DS-46656 PingDirectoryProxy

Fixed an issue that prevented search result entry messages from being logged for operations passing through the PingDirectoryProxy server.

Fixed an issue with IntraSync User operational attributes

Fixed DS-46695 PingDataSync

Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile subcommand.

Fixed an issue with permit-export-reverable-passwords

Fixed DS-46810 PingDirectory

Fixed an issue that prevented including permit-export-reversible-passwords in the set of privileges that can be automatically inherited by root users and topology administrators.

Fixed an issue with passwords within minAge

Fixed DS-46882 PingDirectory

Fixed an issue where attempting to change a password that’s within the minAge now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.

Fixed an issue with the manage-profile --setup script

Fixed DS-46892 PingDirectory

Fixed an issue where the manage-profile --setup script did not correctly find the necessary paths.

Fixed an issue with expired passwords and remaining grace logins

Fixed DS-46945 PingDirectory

Fixed an issue that prevented a user with an expired password but one or more remaining grace logins from being allowed to change their own password on a request that was authorized with the proxied authorization request control.

Fixed an issue with normalized search substrings

Fixed DS-46946 PingDirectory

Fixed an issue where normalized search substrings that were empty matched everything instead of nothing.

Fixed an issue with unindexed searches

Fixed DS-47061 PingDirectory

Fixed an issue that could prevent certain unindexed searches from returning all matching entries in the scope of the search. If a backend is configured with compact-common-parent-dn values that are at least two levels below the backend’s base DN, then searches based below the backend base DN but above a compact-common-parent-dn value could have excluded entries from subtrees for which compaction had been configured. This issue has been fixed, but because it caused certain records to be stored in an incorrect order in the underlying database, customers affected by the issue will need to export the backend data to LDIF and re-import it to have the database rebuilt with the correct ordering.

Fixed an issue with the password modify extended operation and the no-operation control

Fixed DS-47079 PingDirectory

Fixed an issue in which the server could return multiple password validation details response controls in the response to a password modify extended request that included a password validation details request control and did not specify a new password, indicating that the server should generate a new password for the target user.

Also fixed an issue in which the sever would not return the generated new password in the response to a password modify extended request that included a no-operation request control and did not specify a new password.

Fixed a replication issue causing unstable master selection

Fixed DS-47103 PingDirectory

Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.

Fixed an issue causing improper modify request processing

Fixed DS-47170 PingDirectory

Fixed an issue that could prevent the server from properly processing a modify request that contained an update to the ds-pwp-modifiable-state-json attribute in conjunction with one or more other attributes. If the update to ds-pwp-modifiable-state-json did not actually result in any changes to the user’s password policy state, then the server could have short-circuited processing for the operation and returned a success result without processing the other modifications targeting other attributes.

Fixed an issue with index name length

Fixed DS-47182 PingDirectory

Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.

Fixed an issue with the password policy state extended operation

Fixed DS-47245 PingDirectory

Fixed an issue that could cause the password policy state extended operation to return misleading results for some requesters. Previously, the server would always retrieve the target user’s entry on an internal connection authorized as the user that requested the external operation, and would use that entry to construct its internal representation of the password policy state. This ensured that the operation would only be allowed if the requester had the necessary permission to retrieve the target user’s entry, but if the requester didn’t have permission to retrieve all of the operational attributes used to represent components of the target user’s password policy state, then the perceived state used for subsequent processing in that operation might not be accurate, which could cause the server to return incorrect information about the user’s account state.

To address this problem, the server first ensures that the requester has the necessary permission to issue the extended request and to access the target user’s entry, but it will then retrieve the entry again on an internal connection that is not subject to access control restrictions. This ensures that it will always get a complete and accurate representation of the user’s password policy state so that it can return the correct information to the requester.

If the operation is used in an attempt to update the target user’s password policy state, then the requester must still have the necessary access control permission to write to the appropriate operational attributes for that request.

Fixed an issue with the purging of obsolete replicas

Fixed DS-47369 PingDirectory

Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.

Fixed an issue with case insensitivity

Fixed DS-47374 PingDirectory

Fixed an issue where case insensitivity was not correctly handled when working with static topologies.

Support for HashiCorp Vault password storage schemes

Issue DS-49305 PingDirectory

Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine for password storage schemes. Learn more about KV version 1 in the Vault KV secrets engine documentation.

PingDirectory suite of products 9.2.0.4 (November 2023)

Faster server backup and recovery

Improved DS-45157 PingDirectory

We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.

Fixed an issue with Changelog Password Encryption in replicated environments

Fixed DS-48205 PingDirectory

We fixed an issue where the Changelog Password Encryption plugin wouldn’t work properly in a replicated environment if you changed a password using a Password Modify extended operation. The password change is now propagated to all replicas.

PingDirectory suite of products 9.2.0.3 (September 2023)

Added a new configuration property to the Config File Handler backend

New DS-45254, DS-47110, DS-47401 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added the configuration property insignificant-config-archive-base-dn to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under the specified base DN(s).

If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration will be added to the configuration archive, but that archived configuration file may be removed after the next configuration change.

By default, this property will apply to the topology registry subtree.

Enhanced the dsreplication enable command

Improved DS-46902 PingDirectory

The dsreplication enable command can now add a new server to an existing topology with the same major and minor release version but a newer maintenance level.

Fixed an issue causing a null pointer exception

Fixed DS-45527 PingDataSync

Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

Fixed an issue allowing search operations to last beyond the time limit

Fixed DS-47585 PingDirectory

Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. Previously, the server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys (for example, when evaluating a range or substring filter component that could match a very large number of entries), the allowed time limit could be exceeded in that portion of the processing.

Fixed an issue with the remove-defunct-server command

Fixed DS-47784 PingDirectory

Fixed an issue with running remove-defunct-server against servers configured with an AES256 password storage scheme where encryption settings were not initialized before initializing password policy components.

PingDirectory suite of products 9.2.0.2 (August 2023)

Fixed a security issue

Security DS-47632 PingDirectory

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.

PingDirectory suite of products 9.2.0.1 (May 2023)

Added the cache-duration property

New DS-47166 PingDirectory

Critical: Added the property cache-duration to allow optional caching of key managers retrieved by a PKCS11 Key Manager Provider.

Fixed an issue causing missing IntraSync User operational attributes

Fixed DS-46695 PingDataSync

Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile subcommand.

Fixed an issue with changing passwords within minAge

Fixed DS-46882 PingDirectory

Fixed an issue where attempting to change a password that’s within the minAge now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.

Improved the response time of dsreplication enable

Improved DS-46906 PingDirectory

Improved the response time of the dsreplication enable command on large topologies with more than 20 servers.

Fixed an error with replicated PingDirectory server topology

Fixed DS-47103 PingDirectory

Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.

Fixed an issue with index name length

Fixed DS-47182 PingDirectory

Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.

PingDirectory suite of products 9.2.0.0 (December 2022)

Added new access control bind rules and a new access control target

New DS-38367, DS-38368, DS-38369 PingDirectory

  • Added a new "secure" access control bind rule that can be used to make access control decisions based on whether the client is using a secure connection (for example, LDAPS or LDAP with StartTLS) to communicate with the server. Using the bind rule secure="true" indicates that the ACI only applies to requests received over a secure connection, while secure="false" indicates that the ACI only applies to requests received over an insecure connection.

  • Added a new "connectioncriteria" access control bind rule that can be used to make access control decisions based on whether the client connection matches a specified set of connection criteria. The value of the bind rule can be either the name or the full DN of the configuration object that defines the desired connection criteria.

  • Added a new "requestcriteria" access control target that can be used to make access control decisions based on whether the operation request matches a specified set of request criteria. The value of the target can be either the name or the full DN of the configuration object that defines the desired request criteria.

For more information, see ACI bind rules and ACI targets.

Added an audit data security recurring task

New DS-42172 PingDirectory

Added a new "audit data security" recurring task that can be used to regularly examine server data for potential security-related issues. For more information, see Auditing data content.

Added new stats to track operations when using UnboundIDSyncDestination

New DS-44855 PingDataSync

Added new stats to track operations on account state when using an UnboundIDSyncDestination. They can be found on the monitor entry for the sync pipe associated with the destination.

Added support for Java 17

New DS-45766 PingDirectory, PingDirectoryProxy, PingDataSync

The server can now run on Java 17.

PingDataMetrics does not support Java 17.

Updated Groovy

New DS-45970

Updated Groovy support from Groovy 2.x to Groovy 3.x for Java 17 compatibility. This change might introduce some minor incompatibilities in Groovy script support (for example, it appears that import statements split across multiple lines are no longer allowed), so deployments making use of Groovy-scripted extensions should carefully test these extensions in a temporary standalone instance to verify compatibility and make any necessary changes before updating existing instance.

Added a SCIM 2.0 sync destination

New DS-46108 PingDataSync

Added a SCIM 2.0 sync destination. For more information, see Configuring synchronization to a SCIM 2.0 server.

Added new password storage schemes

New DS-46018 PingDirectory

Added new password storage schemes that provide support for the Argon2i, Argon2d, and Argon2id variants of the Argon2 password hash and proof-of-work function. We previously offered only a single Argon2 password storage scheme (which used Argon2i behind the scenes), but the new schemes make it possible to explicitly indicate which variant should be used for encoding passwords.

For more information about password storage schemes, see Supported password storage schemes.

Added an HTTP servlet extension to support Prometheus

New DS-46593

Added an HTTP servlet extension that allows the values of numeric monitor attributes to be published as metrics in a form that can be consumed by a Prometheus monitoring server. For more information, see Monitoring server metrics with Prometheus.

Fixed issues with data security auditors

Fixed DS-12140, DS-42173, DS-46123, DS-46124, DS-46125, DS-4782, DS-4783, DS-4784, DS-5130 PingDirectory

  • Fixed an issue in which the locked account data security auditor did not include the number of validator-locked entries in the summary generated when completing processing for a backend.

  • Fixed an issue in which the expired password data security auditor could incorrectly report that an entry has an old password even when it has been changed more recently than the configured password evaluation age.

  • Fixed an issue with the weakly encoded password data security auditor that could prevent it from detecting passwords encoded with certain schemes.

  • Updated the weakly encoded password data security auditor so passwords encoded using unsalted SHA-1 digests, salted SHA-1 digests, salted MD5 digests, and the MD5 variant of the CRYPT password storage scheme are now considered weak by default.

  • Updated the Server SDK to add support for creating custom data security auditors.

For more information about data security auditors, see Auditing data content.

Removed support for incremental backups

Fixed DS-44442 PingDirectory

Removed support for incremental backups, which had been deprecated since the 8.3.0.0 release. As an alternative, we recommend using LDIF exports, which are more useful, more portable, and much more compressible than full backups, and they can be taken more frequently than full backups without consuming as much disk space. Further, the extract-data-recovery-log-changes tool can be used in conjunction with either LDIF exports or backups to replay changes recorded in the data recovery log since the time the export or backup was created.

Exploded indexes are no longer created unexpectedly

Fixed DS-44966 PingDirectory

Fixed an issue where exploded indexes were unexpectedly created following an unclean shutdown.

Fixed an issue with dsreplication

Fixed DS-45044 PingDirectory

Fixed an issue with the dsreplication tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.

The hibernate-validator library in the management console has been updated to version 6.2.1

Fixed DS-45461 PingDirectory

To close a vulnerability found in hibernate-validator 5.4.3 in the management console, we are updating the console to version 6.2.1. This newer version requires use of jakarta-validator 2.0.2 rather than the older javax-validator 1.1.0, therefore we are upgrading directory to use jakarta-validator 2.0.2 to preserve compatibility.

When moving to version 2, javax-validator was moved to jakarta, but still uses the javax namespace, and therefore no code changes need to be made other than dependencies. In the future, if we move to jakarta-validator v3 however, we will need to move to the jakarta namespace.

Fixed an issue causing the replication initialize task to fail

Fixed DS-45567 PingDirectory

Fixed an issue where a replication initialize task that ran longer than the configured connection idle-timeout-limit would cause the initialize to fail.

Resource limits are now set for the topology admin user

Fixed DS-45638 PingDirectory

Fixed an issue where resource limits for the topology admin user created during replication enable were not set.

Updated jQuery

Fixed DS-45933

Updated jQuery to 3.6.0.

Fixed an issue with replication enablement

Fixed DS-45960 PingDirectory

Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.

Fixed an issue causing slow response time

Fixed DS-46017 PingDirectory

Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.

Fixed an issue causing sync to slow down

Fixed DS-46119 PingDataSync

Fixed an issue encountered when using PingDataSync with a PingOne Sync Destination that caused sync to slow down significantly after 5 minutes and generate extraneous requests to the sync destination.

Fixed an issue preventing changes to certain password policy state attributes from being applied

Fixed DS-46121 PingDataSync

Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.

Exposed previously hidden properties in the PingDirectoryProxy server

Fixed DS-46129 PingDirectoryProxy

Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request and maximum-modifications-per-modify-request properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.

The migrate-ldap-schema tool now removes incorrect single quotes

Fixed DS-46169 PingDirectory

Modified the migrate-ldap-schema tool to remove incorrect single-quotes enclosing the attribute type syntax OID in schemas being imported from Microsoft Active Directory.

Users are no longer prevented from changing their own passwords

Fixed DS-46392 PingDirectory,PingDirectoryProxy

Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the Directory Proxy Server.

New servers can now be enabled into a large topology

Fixed DS-46436 PingDirectory

Fixed an issue where new servers could not be enabled into a large topology.

Enhanced the audit-data-security tool to use new data security auditors

Improved PingDirectory

The audit-data-security tool is used to identify potential risks or other notable security characteristics contained in directory data. This tool has been enhanced to use new data security auditors defined in the server configuration. The new data security auditors can identify:

  • Accounts with password policy state issues that might currently or soon affect their usability.

  • Accounts with an activation time in the future, an expiration time in the past, or an expiration time in the near future.

  • Accounts with passwords encoded using deprecated password storage schemes.

  • Accounts for users that have not authenticated in longer than a specified length of time.

  • Accounts that are configured to use a nonexistent password policy and are therefore unable to authenticate.

  • Entries that match a specified search filter.

Also, the locked account auditor is now able to identify validation-locked accounts, and the weakly encoded password auditor can now flag passwords encoded with SMD5, SHA, and SSHA, and also the MD5 variant of the CRYPT scheme.

For more information about the audit-data-security tool, see Auditing data content.

Improved logging with the addition of new features

Improved PingDirectory

Several features have been added to improve logging and the summarize-access-log tool to provide a better experience for administrators. The summarize-access-log tool already provided a list of the domain names of the target users for the most common bind failures, but the following metrics have been added to improve the detection of possible security issues:

  • The IP addresses of the clients with the most failed bind attempts (in case a single client is trying to access multiple accounts, as might happen in a credential stuffing attack).

  • The addresses of the users with the most consecutive authentication failures (that is, most failures between successes or most failures without a success).

  • The identification of filters with parentheses, ampersands, pipes, single quotes, and double quotes, which might indicate an unsuccessful LDAP filter injection attempt.

  • The identification of filters with the words "select" and "from", which might indicate an unsuccessful SQL injection attempt.

  • The identification of the most common used and missing privileges.

  • The tracking of the number of components used in filters as an increase in the number of filters with more components, which might suggest a successful injection attempt.

For more information about the summarize-access-log tool, see Logging Tools

Access control improvements

Improved PingDirectory

PingDirectory provides a number of features to manage control to data within the data store including Access Control Instructions and connection criteria. In this release, the access control handler now provides support for a bind rule that can make it possible to make access control decisions based on whether the client connection is secure or whether the client connection matches a given set of connection criteria or if a target that makes it possible to determine whether the rule applies to a given request based on request criteria.

Updated global configuration

Improved DS-38078 PingDirectory

Updated the global configuration to define configuration properties that can be used to set alternative size limit, time limit, idle time limit, and lookthrough limit values for unauthenticated clients. By default, the server will use the same default limits for both authenticated and unauthenticated clients, but you can now set limits for unauthenticated clients that are different from the default limits imposed for authenticated clients. It is still possible to override these limits on a per-user basis with operational attributes in the user’s entry.

Added support for generating digital signatures with a key obtained from an encryption settings definition

Improved DS-38277

Added support for generating digital signatures with a key obtained from an encryption settings definition. By default, the server’s preferred encryption settings definition will be used to obtain the signing key, but you can use the signing-encryption-settings property in the crypto manager configuration to choose an alternative definition.

Previously, signatures were generated using a legacy key shared among servers in the topology, which could make it difficult to validate signatures outside of the topology. The legacy key will continue to be used in environments without any encryption settings definitions.

Added support for HTTP forward proxy

Improved DS-40345

Updated the server to add HTTP forward proxy support for several server components that might need to establish HTTP and HTTPS connections to external services. Updated components include:

  • The Amazon Key Manager cipher stream provider

  • The Amazon Secrets Manager cipher stream provider

  • The Amazon Secrets Manager passphrase provider

  • The Amazon Secrets Manager password storage scheme

  • The Azure Key Vault cipher stream provider

  • The Azure Key Vault passphrase provider

  • The Azure Key Vault password storage scheme

  • The PingOne pass-through authentication plugin

  • The PingOne sync source and destination

  • The Pwned Passwords password validator

  • The SCIMv1 sync destination

  • The SCIMv2 sync destination

  • The Twilio alert handler

  • The Twilio OTP delivery mechanism

  • The UNBOUNDID-YUBIKEY-OTP SASL mechanism handler

The replication-purge-obsolete-replicas property is now set to true by default

Improved DS-41467 PingDirectory

The replication-purge-obsolete-replicas global configuration property is now set to true by default for new and upgraded PingDirectory servers so that obsolete replicas are purged.

The replace-certificate tool now re-prompts user for path to valid file containing certificates

Improved DS-45968

Updated the replace-certificate tool’s behavior when running in interactive mode. Previously, when it prompted the user for the path to a file containing one or more certificates to be imported, it would exit with an error if the provided path represented a file that did not contain valid certificate information. It will now re-prompt the user for the path to a valid file after displaying the error message.

Updated replication enable synopsis

Improved DS-46127 PingDirectory

Updated replication enable synopsis to mention that schema initialization is part of the enable process and explain that the order of provided servers is significant for the initialization.

Updated the dsconfig tool

Improved DS-46313

Updated the dsconfig tool to ensure that it uses the correct authentication type when applying changes to all servers in a server group. Previously, it would always attempt to use simple authentication, even if the connection to the initial server was authenticated using a different mechanism.

Enhanced the replication server

Improved DS-46332 PingDirectory

The replication server now continues to handle incoming replication connections even when there is an unexpected exception.

Updated Amazon AWS external server configuration

Improved DS-46615

Updated the Amazon AWS external server configuration to provide more control over the method used to authenticate to AWS. Previously, it was only possible to authenticate with an access key or an IAM role. We have added an option to use an IRSA role, and we have also added an option to use a default credentials provider chain that attempts to identify an appropriate authentication method for cases in which the server is running in the AWS environment (for example, EC2 or EKS) based on locally available information like system properties and environment variables.

dsreplication enable subcommand description differs based on operating system

Issue DS-46127 PingDirectory

There is a known issue with the description of the dsreplication enable subcommand differing based on the operating system. On MacOS, an updated description is shown:

"Update the configuration of the servers to replicate the data under the specified base DN(s). If one of the two servers is already part of an existing replication topology, then that server must be specified as the first server. This is because the schema of the second server will be updated to match the schema of the first. The configuration of all the servers in the existing topology will also be updated, so it is sufficient to perform this operation once for each new server that is added to the topology. The server-to-server replication communication is always secured with SSL."

But on some operating systems, including Windows and CentOS, the older description is shown that doesn’t mention the schema initialization.

Support for HashiCorp Vault password storage schemes

Issue DS-49305 PingDirectory

Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine for password storage schemes. Learn more about KV version 1 in the Vault KV secrets engine documentation.

PingDirectory suite of products 9.1.0.4 (November 2023)

Added a configuration property to the Config File Handler backend

New DS-45254, DS-47110, DS-47401 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added the configuration property insignificant-config-archive-base-dn to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under specified base DNs.

If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration gets added to the configuration archive, but that archived configuration file can be removed after the next configuration change.

By default, this property applies to the topology registry subtree.

Faster server backup and recovery

Improved DS-45157 PingDirectory

We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.

Enhanced the dsreplication enable command

Improved DS-46902 PingDirectory

The dsreplication enable command can now add a new server to an existing topology with the same major and minor release version but a newer maintenance level.

Improved the response time of dsreplication enable

Improved DS-46906 PingDirectory

Improved the response time of the dsreplication enable command on large topologies with more than 20 servers.

Fixed an issue with the purging of obsolete replicas

Fixed DS-47369 PingDirectory

Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.

Fixed a potential NPE for missing changes in replication

Fixed DS-47289 PingDirectory

Fixed a possible null pointer exception in replication where missing changes were found for a replica, but that replica didn’t exist on all servers. This could have occurred in scenarios where the replica was obsolete and purged concurrent to the check for missing changes.

Fixed an issue with the remove-defunct-server command

Fixed DS-47784 PingDirectory

Fixed an issue with running remove-defunct-server against servers configured with an AES256 password storage scheme. In these cases, the encryption settings were not initialized before initializing the password policy components.

Fixed an error with replicated PingDirectory server topologies

Fixed DS-47103 PingDirectory

Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.

Fixed an issue with index name length

Fixed DS-47182 PingDirectory

Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.

Fixed an issue where adding a hotfix server to a topology failed

Fixed DS-46807 PingDirectory

Fixed an issue where dsreplication enable failed to add a server with a hotfix build to an existing topology with a previous build. The hotfix server would attempt to become topology master immediately, interrupting proper initialization.

Fixed an issue with nondescript logging for manage-profile replace-profile errors

Fixed DS-46983 PingDirectory

Fixed an issue where errors that occurred during a manage-profile replace-profile operation would only log Batch command failed entries.

Batched dsconfig commands that are executed during manage-profile replace-profile will now report a detailed cause for the failing command.

Fixed an issue that caused an NPE when using realtime-sync

Fixed DS-47609 PingDataSync

Fixed an issue where the server would throw a null pointer exception and fail to synchronize during a realtime-sync operation.

Fixed an issue that caused an NPE when adding a server

Fixed DS-45527 PingDataSync

Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

PingDirectory suite of products 9.1.0.3 (August 2023)

Fixed a security issue

Security DS-47632 PingDirectory

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory Server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.

PingDirectory suite of products 9.1.0.2 (March 2023)

Fixed an issue with resource limits for the topology admin user

Fixed DS-45638 PingDirectory

Fixed an issue where resource limits for the topology admin user created during replication enable were not set.

Fixed an issue with password policy state attributes

Fixed DS-46121 PingDataSync

Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.

Fixed an issue causing missing IntraSync User operational attributes

Fixed DS-46695 PingDataSync

Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile subcommand.

Fixed an issue with changing passwords within minAge

Fixed DS-46882 PingDirectory

Fixed an issue where attempting to change a password that’s within the minAge now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.

PingDirectory suite of products 9.1.0.1 (November 2022)

Fixed an issue with the dsreplication tool

Fixed DS-45044 PingDirectory

Fixed an issue with the dsreplication tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.

Fixed an issue with replication enablement

Fixed DS-45960 PingDirectory

Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.

Fixed an issue with slow response times on PingDirectory servers

Fixed DS-46017 PingDirectory

Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.

Fixed an issue preventing users from changing their passwords

Fixed DS-46392 PingDirectory, PingDirectoryProxy

Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the Directory Proxy Server.

Updated the PingDirectoryProxy server to expose properties in global configuration

Improved DS-46129 PingDirectoryProxy

Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request and maximum-modifications-per-modify-request properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.

Improved the replication server’s handling of incoming replication connections

Improved DS-46332 PingDirectory

The replication server now continues to handle incoming replication connections even when there is an unexpected exception.

PingDirectory suite of products 9.1.0.0 (June 2022)

Added support to sanitize access logs to protect sensitive information

New

Log files can contain potentially contain sensitive or identifiable information that you might not necessarily want recorded in the clear. The server can now be configured to support sanitizing access logs as they are being written. It is available for any writer-based or JSON-formatted access log, and elements in the log message can either be sanitized, redacted, or omitted altogether. This includes the ability to genericize diagnostic messages written to the access or error log. For more information, see Log sanitization.

Added support for processing JSON-formatted access logs

New

PingDirectory provides a robust logging system allowing for detailed analysis of the server’s functioning. Included is support for creating log files written using JSON format. The summarize-access-log command, which is used to display several metrics about operations processed within the server, now supports processing JSON formatted access logs.

Updated Directory REST API

New

The Directory REST API allows developers to create customized application for managing the entries in a directory instance. The Directory REST API now supports controls previously only available through LDAP calls. This includes the ability to do joins allowing for advanced data modeling of relationships.

Added conflict error messages for replicated PingDirectory deployments

New

In deployments with replicating PingDirectory instances, conflicts can occur if the same entry is added to different servers at the same time. Many conflicts can be handled automatically and, in such cases, the server whose add attempt creates a conflict, now returns a CONFLICT result in the replication response control and LDAP result code.

JSON-formatted access logger updated

Improved DS-44507, DS-45243, DS-45530

Updated the JSON-formatted access logger to include the requester IP address in disconnect, security negotiation, and client certificate log messages when appropriate.

PingDataSync Server supports PingOne as a sync destination

Improved PingDataSync

PingOne recently added support for multi-valued attributes. Now, using PingOne as a sync destination, multi-valued attributes can be synchronized as either a one-time data migration or as part of a continual real-time synchronization strategy.

Synchronize data to custom attributes defined in the PingOne environment

Improved PingDataSync

When using PingOne as a sync destination, PingDataSync Server provides support for synchronizing data to custom attributes that are defined in the PingOne environment. This includes attributes defined as multi-valued or JSON in PingOne.

Repeating cycle when resetting a password

Issue PingDirectory

If your password policy for an admin user (such as a topology administrator or rootDN) is set with --set force-change-on-reset:true or --set force-change-on-add:true, you cannot update that administrator’s password without it being considered an administrator reset.

An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password.

One recommendation to work around this issue is to not set these password policy attributes on administrator accounts that are stored in cn=config. If you do need --set force-change-on-reset:true or --set force-change-on-add:true, you must clear the mustChangePassword flag by running the following command each time you change the password:

$ bin/manage-account set-must-change-password \
    --mustChangePassword false \
    --targetDN cn=<admin cn>

setup tool failure because of Bouncy Castle JAR files

Issue

The setup command might fail on Windows operating systems because of the presence of Bouncy Castle JAR files in the lib directory that begin with bc. The JAR files are mentioned in an error message similar to the following: An unexpected error occurred while attempting to copy the non-FIPS Bouncy Castle jar file into the server’s classpath: FileSystemException: lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it is being used by another process. A temporary workaround is to delete the JAR files that begin with bc from the lib directory before attempting to run setup again.

Bouncy Castle libraries are not removed from the lib directory.

Issue DS-46007

If you update an existing installation to the 9.1 release of the server and then subsequently want to revert that update, Bouncy Castle libraries from the 9.1 release might not be properly removed from the lib directory, resulting in both the older and newer versions of the library being in the lib directory. This should not cause any problems with the server, but it might result in warning messages in the server’s error log about different versions of the same JAR file in the classpath (for example, The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bc-fips-1.0.2.1.jar, bc-fips-1.0.2.3.jar and The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bctls-fips-1.0.11.4.jar, bctls-fips-1.0.13.jar). This message can be safely ignored. You can eliminate this warning by stopping the server and manually removing the newer versions of the jar files referenced in the warning message.

JSON-formatted controls rejected

Issue DS-46016 PingDirectory, PingDirectoryProxy

JSON-formatted join request controls with their criticality set to false are rejected as if their criticality were true by non-search requests.

Fixed an issue that prevented the server from refreshing monitor data

Fixed DS-41468

Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced. For information on log sanitization, see Log sanitization.

Fixed the status tool

Fixed DS-44481

The status tool now shows the current collect-support-data version.

Fixed key and trust store PIN issues

Fixed DS-45336

Fixed issues that prevented obtaining key and trust store PINs with the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers.

Updated the server to create the esTokenizer.ping file if it does not exist

Fixed DS-45449 PingDirectory

Updated the server to create the esTokenizer.ping file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.

Password policies using virtual attributes are now correctly applied

Fixed DS-45466 PingDirectory

Fixed an issue where password policies specified using a virtual attribute were sometimes not correctly applied to users.

Improved string representations of active operations and persistent searches

Fixed DS-45485 PingDirectory, PingDirectoryProxy

Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the UnboundID LDAP SDK for Java.

The encode-password tool now works with AES256 password storage

Fixed DS-45546 PingDirectory

Fixed an issue that caused the encode-password tool to fail when the AES256 password storage scheme is enabled.

Support added for synchronizing custom attributes defined in PingOne destinations

Fixed DS-36184, DS-45125 PingDataSync

Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.

Set a consistent priority index when adding two PingDataSync servers into a new failover topology

Fixed DS-45123 PingDataSync

Updated the manage-topology add-server command to set a consistent priority index when adding two PingDataSync servers into a new failover topology. The server listed as the remote server in the command-line arguments is given the higher priority index, which results in an overall lower priority compared to the other server.

Updated the sanitize-log tool

Fixed DS-16236 PingDirectory

Updated the sanitize-log tool to better align with the server’s support for sanitizing log messages as they are logged. Changes include:

  • It is preconfigured with default behaviors for an expanded set of log fields.

  • It can be configured to suppress the default log field behavior configuration and only explicitly specified configuration.

  • It offers support for additional sanitization options, including omitting fields and differentiating between values should be redacted or tokenized in their entirety or by components.

  • It now uses syntax-aware redaction and tokenization.

  • It offers support for specifying a default behavior to use on a per-syntax basis.

  • It can obtain its settings from a log field behavior definition in the server configuration.

Improved assured replication result codes for conflicts

Improved DS-42302 PingDirectory

Added support for improved assured replication result codes when replication conflicts occur. For processed assured levels, for each replica that has a replication conflict resulting in an alternate distinguished name (DN) being updated, a CONFLICT result will be returned. If any such conflicts are detected, a result code of 68 (ENTRY_ALREADY_EXISTS) will be returned.

Fixed password policy state extended operation

Fixed DS-44667 PingDirectory

Fixed an issue in which the password policy state extended operation could be used to create duplicate authentication failure time or grace login use time values.

Added a new Docker command-line tool

Improved DS-45147 PingDirectory, PingDataSync, PingDirectoryProxy

Added a docker-pre-start-config command-line tool for PingData Docker containers. Use the tool before the server is started to make configuration changes to the server that depend on the running container’s environment.

Added a new argument for manage-profile generate-profile

Improved DS-45163

Added a --excludeSetupArguments argument for the manage-profile generate-profile command. Added a --skipValidation argument for the manage-profile replace-profile command. This argument allows skipping the final server validation step when running on an offline server and allows generating a server profile that does not include a setup-arguments.txt file. Updated the setup and replace-profile subcommands to fail when a server profile includes an encryption-settings-db file in the profile’s <server-root>/pre-setup/ directory.

Fixed an issue with server privileges

Fixed DS-45250

Directory Server privileges that are assigned through virtual attributes now apply consistently when accessing topology-related features through the administrative console.

Improved protections around the dw-pwp-modifiable-state-json operational attribute

Improved DS-45255, DS-45504, DS-45505 PingDirectory

Updated the server to protect against attempts to modify the ds-pwp-modifiable-state-json operational attribute without the Modifiable Password Policy State plugin enabled. The plugin is disabled by default, and the server would previously allow writes to that attribute with the plugin disabled, but those writes would just pollute the entry and have no effect on its password policy state. The server now only allows updates to ds-pwp-modifiable-state-json if the Modifiable Password Policy State plugin is enabled. Similarly, the server also rejects attempts to add entries that contain the ds-pwp-modifiable-state-json operational attribute, even with the Modifiable Password Policy State plugin disabled. Writes to this attribute are only supported for modify operations, and the server would properly reject add attempts targeting that attribute if the plugin had been enabled but would not reject those attempts if the plugin were disabled.

The server now also prohibits administrators from using the ds-pwp-modifiable-state-json operational attribute to update their own password policy state, and it prohibits attempts to update ds-pwp-modifiable-state-json operational attribute in an another user’s entry in the same modify request that also resets that user’s password. The former restriction prevents certain kinds of changes that could allow an administrator to exempt themselves from certain password policy restrictions while the latter protects against potential conflicts that could arise from two modifications in the same request that attempt to alter a user’s password policy state.

Fixed a backwards compatibility issue with the migrate-ldap-schema tool

Fixed DS-45322 PingDirectory

A former version of the tool allowed the --useSSL argument to indicate that SSL should be used to secure communication with both servers, whereas a newer version did not allow that argument but instead required both --sourceUseSSL and --targetUseSSL. Similarly, support for the --useStartTLS argument was inadvertently dropped, requiring both --sourceUseStartTLS and --targetUseStartTLS. The legacy arguments have been restored.

Removed two password policies for non-password users

Fixed DS-45439, SF:00741269 PingDirectory

Minimum and maximum age password policies are no longer applied for users without a password.

Updated Kafka version

Security DS-45462

Updated PingDirectory products to use Kafka 2.8.1, which resolves.

Fixed incorrect index skipping

Fixed DS-45470 PingDirectory

Fixed an issue in which the server could incorrectly skip certain indexes when evaluating search criteria. In cases where the server can determine where the results from one index should already be encompassed by results from another index that is already in use for the search, it ignores the redundant index. However, there were cases in which an index would be ignored even if the already-in-use index was not actually suitable for that search (for example, because its index entry limit had been exceeded).

Updated the topology registry and the replace-certificate tool

Improved DS-45480, DS-45636

Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server’s certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry.

Made the following updates to the replace-certificate tool:

  • Added new list-topology-registry-listener-certificates and list-topology-registry-inter-server-certificates subcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry.

  • Added a new add-topology-registry-listener-certificate subcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it can be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server.

  • Updated the replace-certificate replace-listener-certificate subcommand to add --topology-registry-update-type and --trust-store-update-type arguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options suppressing the update, only adding the listener certificate itself, only adding the listener certificate’s issuers, or adding both the listener certificate and its issuers.

  • Updated the replace-certificate replace-listener-certificate subcommand to add an --ignore-current-listener-certificate-validity-window argument that allows the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced.

Fixed an access log reporting issue

Fixed DS-45487 PingDirectory

Fixed an issue where access logs incorrectly reported negative processing times for certain operations.

Added support for JSON-formatted request and response controls

Improved DS-45494 PingDirectory, PingDirectoryProxy

Most existing controls have been updated to support an alternative JSON encoding, which might make it easier to use certain controls in clients written with APIs that do not provide direct support for those controls.

Updated the server Bouncy Castle cryptographic library versions

Security DS-45503

Updated the server to use the latest versions of the FIPS 140-2-compliant and non-FIPS-compliant Bouncy Castle cryptographic libraries.

Added support for generic strings in access and error log messages

Improved DS-45541, DS-45542

Updated the text-formatted and JSON-formatted access and error loggers to provide an option to use generic versions of strings in log messages. If enabled, error messages, additional log info messages, disconnect reasons, and authentication failure reasons will use a string with placeholders instead of context-specific values that could potentially include identifiable or sensitive information.

Updated the local DB backend to disable the index cursor entry limit by default

Improved DS-45564 PingDirectory

This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes.

In the unlikely event that this limit is actually needed in a directory environment, it can still be activated by setting the com.unboundid.directory.server.backends.jeb.AttributeIndex.cursorEntryLimit system property to the desired value.

Fixed gauge alarm issues

Fixed DS-45578 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed issues where gauges could raise an alarm and create an alert, but not create an alert when that same alarm was later cleared, making it unclear when the reported condition had abated.

Fixed server lockdown issue in newly initialized databases

Fixed DS-45582 PingDirectory

Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server …​may have missed one or more update(s). if the source server is in the pre-external-initialize state. This generally occurred only if the initialized server was restarted right after initialization completed.

Updated the export-reversible-passwords tool

Fixed DS-45600 PingDirectory

Updated the export-reversible-passwords tool to fix a potential issue in which the tool could encounter a timeout while waiting for the response from the server. Updated the export reversible passwords extended operation handler to provide support for canceling an export that is in progress. If the export-reversible-passwords tool is terminated, or if the associated extended operation is abandoned or canceled, then the export process now stops processing. Previously, it ignored the cancel request and continued processing the export until all entries in the backend had been examined.

Fixed a server operation rejection issue

Fixed DS-45767 PingDirectory

Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It continues to reject the operation if the disallowed control has a criticality of true, but if the criticality is false, the server continues processing the operation as if that control had not been requested.

Fixed a replication protocol message issue

Fixed DS-45714, SF:00753519 PingDirectory

Fixed an issue that allowed replication protocol messages to be dropped.

Updated to LDAP SDK version 6.0.5

Fixed DS-45746 PingDirectory

Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality.

Fixed a server issue causing internal errors during monitoring

Fixed DS-45786 PingDirectory

Fixed a PingDirectory server issue that could cause an internal error to be logged while monitoring database statistics for read-only backends.

Fixed a Directory REST API error with mismatched time syntax attribute values

Fixed DS-45788 PingDirectory

Fixed an issue where the Directory REST API returns an HTTP 500 error response when trying to retrieve a System for Cross-domain Identity Management (SCIM) entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ.

Fixed Proxy server manage-profile replace-profile errors

Fixed DS-45798 PingDirectoryProxy

In PingDirectoryProxy Server, manage-profile replace-profile sometimes failed with an error similar to the following:

The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other)
...

This fix ensures that the configuration is loaded before the merge that the error message refers to.

Updated Jackson Databind version

Security DS-45806

Updated Jackson Databind to 2.13.3.

Updated the commons-codec library

Security DS-45898

Updated the commons-codec library to version 1.13.

Updated the Google Guava dependency in common libraries

Security DS-45903

Updated the Google Guava dependency in common libraries.

Updated Directory REST API to exclude RDN values in modify requests

Improved DS-45948 PingDirectory

The Directory REST API no longer includes RDN values in modify requests to update the DN of an entry, because RDN values are updated by default in modify DN requests.

Delegated Admin 4.10 (June 2022)

Accounts can be directly unlocked

New Delegated Admin

Managing accounts includes the ability to unlock accounts. Previously, the only way to unlock an account was for an administrator to reset the password. Now, Delegated Admin users can directly unlock an account without resetting the password.

The initiate password reset option does not unlock accounts.

Assign custom names for Members and Nonmembers columns

New Delegated Admin

Managing group membership is a common administrative user task. Resource types can now have custom names assigned for Members and Nonmembers columns. This option is available for the Groups, Users and Generic REST resource types.

New Delegated Admin

Currently, we are using the Implicit grant type. However, the Implicit grant type is no longer recommended for use because it can leak the access tokens. For more information, see https://oauth.net/2/grant-types/implicit/. For new installations of Delegated Admin, the grant type is set to Authorization Code with PKCE.

Upload and display image files and certificates

New Delegated Admin

Customers using Delegated Admin can now upload and display image files and upload certificates for properly configured resource types. Certificates are encoded before being stored.

Name of uploaded file is not displayed

Issue DS-45739 Delegated Admin

When uploading certificates or photos to REST resource types in Delegated Admin, the name of the uploaded file is not displayed. If multiple certificates are uploaded for a user, a number will be assigned based on the order the certificates were uploaded in.

Fixed input validation issue

Fixed DS-45760 Delegated Admin

Fixed a form input validation issue for required integer attributes on a resource type that was preventing users from saving new resources.

Non-members are no longer displayed initially for group’s resource types

Fixed DS-45483 Delegated Admin

Non-members of a group are no longer displayed initially on the edit group membership view for the group resource types.

Non-members are no longer displayed initially for users and generic resource types

Fixed DS-45611 Delegated Admin

Non-member groups are no longer displayed initially on the edit group membership view for the users and generic resource types.

Non-members are no longer loaded in group resource type search results

Fixed DS-45591 Delegated Admin

Non-members of a group are no longer loaded in the group resource type search results on the group membership tab.

PingDirectory suite of products 9.0.0.6 (August 2023)

Fixed an issue where the server rejected certain operations

Fixed DS-45767 PingDirectory

Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It will continue to reject the operation if the disallowed control has a criticality of true, but if the criticality is false, the server will continue processing the operation as if that control had not been requested.

Fixed a security issue

Security DS-47632 PingDirectory

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported versions of the PingDirectory Server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.

PingDirectory suite of products 9.0.0.5 (April 2023)

Fixed an issue causing missing operational attributes

Fixed DS-46695 PingDataSync

Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile subcommand.

Fixed an issue with changing passwords

Fixed DS-46882 PingDirectory

Fixed an issue where attempting to change a password that’s within the minAge now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.

PingDirectory suite of products 9.0.0.4 (January 2023)

Fixed an issue preventing the server from refreshing monitor data

Fixed DS-41468

Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced.

Fixed an issue with the dsreplication tool

Fixed DS-45044 PingDirectory

Fixed an issue with the dsreplication tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.

Fixed an issue with the encode-password tool

Fixed DS-45546 PingDirectory

Fixed an issue that caused the encode-password tool to fail when the AES256 password storage scheme is enabled.

Fixed an issue with resource limits

Fixed DS-45638 PingDirectory

Fixed an issue where resource limits for the topology admin user created during replication enable were not set.

Fixed an issue causing configurations not to load correctly

Fixed DS-45798 PingDirectoryProxy

In the PingDirectoryProxy server, manage-profile replace-profile sometimes failed with an error similar to the following: The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other). This fix ensures that the configuration is loaded before the merge that the error message refers to.

Fixed an issue causing replication enablement to fail

Fixed DS-45960 PingDirectory

Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.

Fixed an issue with changes to Password Policy State attributes

Fixed DS-46121 PingDataSync

Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.

Fixed an issue preventing users from changing their passwords

Fixed DS-46392 PingDirectory, PingDirectoryProxy

Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the PingDirectoryProxy server.

The maximum-attributes-per-add-request and maximum-modifications-per-modify-request properties are now exposed in the global configuration

Improved DS-46129 PingDirectoryProxy

Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request and maximum-modifications-per-modify-request properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.

The replication server now continues to handle incoming replication connections

Improved DS-46332 PingDirectory

The replication server now continues to handle incoming replication connections even when there is an unexpected exception.

PingDirectory suite of products 9.0.0.2 (July 2022)

Updated Kafka version

Security DS-45462

Updated PingDirectory products to use Kafka v2.8.1.

Updated the server to create the esTokenizer.ping file if it does not exist

Fixed DS-45449 PingDirectory

Updated the server to create the esTokenizer.ping file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.

Updated the active operations monitor provider

Improved DS-45485 PingDirectory, PingDirectoryProxy

Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the LDAP SDK for Java.

Fixed a Directory REST API error with mismatched time syntax attribute values

Fixed DS-45788 PingDirectory

Fixed an issue where the Directory Rest API returns an HTTP 500 error response when trying to retrieve a SCIM entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ.

Fixed a SCIM POST request error response issue

Fixed DS-45863 PingDirectory

Resolved an issue where SCIM POST requests that violated a unique attribute constraint received an error response with status 400 (Bad Request) instead of 409 (Conflict).

Fixed a performance issue with large numbers of virtual static groups

Fixed DS-46017 PingDirectory

Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.

Fixed a SCIM POST request error response issue

Fixed DS-45647 PingDirectory

Resolved an issue where SCIM POST requests that violated a unique attribute constraint got an internal error instead of the expected SCIM error response.

Fixed a PingDataSync to PingOne sync performance issue

Fixed DS-46119 PingDataSync

Fixed an issue encountered when using PingDataSync with a PingOne Sync Destination that caused sync to slow down significantly after 5 minutes and generate extraneous requests to the sync destination.

PingDirectory suite of products 9.0.0.1 (March 2022)

Issue with syncing multi-valued JSON attributes to a PingOne destination

Issue PingDataSync

For multi-valued JSON attributes, you should not use JSON attribute mappings when synchronizing data to a PingOne destination. When synchronizing JSON data, you can use a direct attribute mapping if the data at the source server is JSON. If the data at the source server should be assembled into JSON form, you can define a constructed attribute mapping.

Added support for synchronizing data to custom attributes defined in PingOne destinations

Improved DS-36184, DS-45125 PingDataSync

Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.

When defining attribute mappings for a PingOne destination, you can use direct attribute mappings for string to string or JSON to JSON synchronizations. If a string attribute at the source server should be stored as JSON in the PingOne environment, you should define a constructed attribute mapping in PingDataSync.

PingDirectory suite of products 9.0.0.0 (December 2021)

New entry-balancing options

Improved PingDirectory

Entry-balancing is a PingDirectoryProxy Server configuration that allows the entries within a portion of the directory information tree (DIT) to reside on multiple external servers. The entry counter, hash distinguished name (DN) and round-robin placement algorithms can now be configured to exclude backend sets for add operations allowing for greater control over the use of multiple servers for entry balancing.

You can interact with entries within the data store including LDAP and several REST APIs

Improved PingDirectory

PingDirectory provides several interfaces for interacting with entries within the data store including LDAP and several REST APIs. In this release, the Directory REST API can now return any tagging options that are defined for an attribute. These tagging options are treated as subtypes of the same attribute while not explicitly declared in the schema.

CyberArk Conjur and Azure Key Vaults support added

Improved PingDirectory

In an earlier release, PingDirectory added support for a passphrase provider API to secure administrative passphrases, pins or passwords. This release adds both CyberArk Conjur and Azure Key Vaults to the list of available passphrase and cipher stream providers. Cipher stream providers are used to protect the keys stored in the encryption settings database

OAuth tokens ca be used with the File Servlet

Improved PingDirectory

Because administrators now have the ability to single sign-on (SSO) to the PingDirectory administrative console, the File Servlet used to download files from a server instance can now also use OAuth tokens for authentication along with the basic HTTP authentication method, such as username and password.

Apply your own branding to console elements.

Fixed PingDirectory, PingDirectoryProxy, PingDataSync

The administrative console is one tool you can use to configure and manage PingDirectory servers. In this release, you can now apply your own branding to console elements such as background colors, images and logos, and certain text elements. Sign on, sign out, and configuration pages are included in possible configuration areas. For more information, see the README.txt file in the console .war file shipped with PingDirectory.

New --performLocalCleanup option added to the remove-defunct-server command

Improved PingDirectory

To improve the defunct server topology cleanup process when your topology is unhealthy, such as during a network outage or disaster recovery, a new option to the remove-defunct-server command cleans up stale replication metadata before the server is added back into the topology. This new argument, --performLocalCleanup, allows administrators to easily take a server out of a topology for maintenance or troubleshooting and return the server back to the topology later. For more information on remove-defunct-server and its options, run bin/remove-defunct-server --help.

Added support for a pluggable pass-through authentication plugin

Improved PingDirectory

Earlier PingDirectory Server versions support pass-through authentication to remote LDAP servers or to PingOne, which can be useful when migrating data into the Directory Server from another service, or when the Directory Server needs to coexist with another service that is an authoritative source for user passwords. This release adds support for a pluggable pass-through authentication plugin, which makes it possible to pass through simple bind requests to an arbitrary external service using a pass-through authentication handler to manage interaction with that service, and the Server SDK has been updated to allow creating custom pass-through authentication handlers. As with existing pass-through authentication support, this functionality is only available for LDAP simple binds, and it does not support SASL authentication. For more information on this plugin, see Working with pass-through authentication

Added new options to the dsreplication command to make replication faster

Improved PingDirectory

In multi-server deployments, replication is used to maintain consistency of data and schema between the servers. With larger deployments, attempting to initialize replication for multiple servers can take longer. New options to the dsreplication command can now speed up this process by initializing replication on multiple servers in parallel. The number of servers can either be the entire set of servers in the deployment, or a subset of servers based on location, or instance name or a specific number. For more information on dsreplication subcommands, see Summary of the dsreplication Subcommands.

Added a new password storage scheme to provide enhanced security

Improved PingDirectory

Typically, the passwords for administrative users have been stored directly in PingDirectory based on the configured password storage scheme. To provide enhanced security for those administrative accounts that need it, a new password storage scheme has been added that allows for the password to be stored in an external vault. Currently, Amazon AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault are supported.

The config-audit logs now tracks the originating account information when individual changes are made

Improved PingDirectory

To better manage the configuration of multiple servers in large topologies, PingDirectory uses the config-audit log file to allow administrators to easily determine, replay or undo configuration changes made to servers. Previously, when modifying topology or cluster configuration, the original requesting account information was not logged. Now, to assist administrators and improve server auditing, the config-audit logs will track the originating account information that made individual changes. For circumstances where more protection is required, there is a new property that will redact any sensitive attributes that might be written to the log file (instead of the default obfuscation behavior). This includes instances where administrative users change their passwords and affects any other condition where the sensitive attribute might be displayed for informational purposes such as alerts.

PingDataSync can now include Active Directory account state information

Improved PingDataSync

Many customers use PingDataSync Server to either migrate from Active Directory or use Active Directory in conjunction with PingDirectory to manage user accounts. Administrators can now configure PingDataSync to include account state information set in Active Directory specifically lockout time, the last time the password was set and whether or not the account is disabled. This information can now be properly set within PingDirectory based on the information set in the account in Active Directory.

Entry balancing and global index

Issue PingDirectoryProxy

If the DirectoryProxy Server is configured to use entry balancing and cannot use the global index to determine which backend sets should be used to process an operation, it broadcasts the request to all backend sets, and it will examine the results obtained from each of the backend sets to determine which is the best one to return to the client.

In previous releases, the server always preferred a success result over a non-success result, but if the operation failed in all backend sets, then the DirectoryProxy Server could have selected a result from a backend server in which the target entry didn’t exist (for example, with a noSuchObject result code) rather than from one in which the entry did exist but the operation failed for some other reason. The 9.0.0.0-EA release addresses this by examining the result codes for all broadcast operations and prioritizing failure results indicating that the target entry exists in the associated backend set over those that do not.

There are still known cases, however, in which the DirectoryProxy Server might select a less appropriate result to return to the client. For example, if a bind operation fails, the backend server is likely to return an invalidCredentials result regardless of whether the target user entry exists in that backend set. If the bind attempt fails in one backend set because the target user exists but their account is in a state that doesn’t allow it to authenticate (for example, if their password is expired or their account is locked), then the bind response from that server might include response controls that would be useful to return to the client, but the 9.0.0.0-EA release might not choose that response as the one to return to the client. This will be addressed in the 9.0.0.0 GA release later this year.

Fixed an issue where secret keys under cn=Topology,cn=config could be lost when removing a server from the topology

Fixed PingDirectory, PingDataSync

When a server is removed with the dsreplication disable or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

Fixed lost access to keys used for reversible password encryption when removing servers from the topology

Fixed DS-44591 PingDirectory

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, before this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Because this change only applies to the most recent version of remove-defunct-server and dsreplication disable, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication and remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you might lose access to secret keys from servers that are removed from the topology.

Fixed Directory REST API

Fixed DS-37117 PingDirectory

Fixed an issue where the Directory REST API encountered internal server errors while processing entries whose attributes have LDAP tagging options.

Added LDAP pass-through authentication handler

Fixed DS-38498, DS-38621 PingDirectory

An LDAP pass-through authentication handler has also been provided, which allows the new plugin to be used as an alternative to the existing LDAP-specific pass-through authentication plugin. The new implementation provides additional functionality not available in the previous plugin, including the ability to indicate whether pass-through authentication should be allowed for accounts that are locked or have expired passwords and the ability to set timeouts that will be used when interacting with external LDAP servers. It also has improved default settings and offers better diagnostic information about its processing.

Added authentication support for passwords stored in several services

Fixed DS-40671 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added support for password storage schemes that allow users to authenticate with passwords stored in the Amazon AWS Secrets Manager service, the Microsoft Azure Key Vault service, a CyberArk Conjur instance, or a HashiCorp Vault instance.

The dsreplication initialize-all command now initializes multiple target servers in parallel when the --parallel option is used

Fixed DS-40796 PingDirectory

To enhance initialization performance, the dsreplication initialize-all command now initializes multiple target servers in parallel when the --parallel option is used (subject to the --parallelLimit option). The --sameLocationOnly and --destinationInstanceName options can be used to limit the destinations that are initialized.

Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig representation for a configuration change

Fixed DS-40926 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig representation for a configuration change, which could be included in the server’s configuration audit log or administrative alerts whenever a configuration change is applied. By default, the values of configuration properties that are defined as sensitive will be obscured rather than redacted, which allows the change to be replayed without revealing the actual value of the property. However, it is now possible to redact such values rather than obscuring them, which provides stronger protection against exposing those values, but could interfere with the ability to replay the configuration audit log if it contains changes involving sensitive properties.

Added sorting to the Name and Category columns of the monitor table

Fixed DS-42752 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added sorting functionality to the Name and Category columns of the monitor table in the administrative console.

Added replica-partial-backlog attribute to replication summary monitor

Fixed DS-42961 PingDirectory

To help with replication backlog analysis, the replication summary monitor now includes a replica-partial-backlog attribute that shows how each origin replica contributes partial backlog with the per-origin-replication-backlog property. The replica-partial-backlog attribute also shows the change numbers used for the calculation.

Updated the server to record the original requester distinguished name (DN) and IP address

Fixed DS-43056 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Updated the server to record the original requester distinguished name (DN) and IP address in access log and config audit log messages for mirrored configuration changes.

Fixed DS-43582 PingDirectory, PingDirectoryProxy

Fixed a couple of issues in which the server might not properly handle other controls included in a search request containing a join request control. For search operations passing through the Directory Proxy Server, other response controls could have been inadvertently stripped from search result entries when adding the join result control. Further, if a search request included a join request control in conjunction with one or more other controls, the request control immediately following the join request control might not have been properly handled.

Added support for obtaining secrets from CyberArk Conjur

Fixed DS-43917 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

The Conjur cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Conjur passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service. The server can authenticate to Conjur using a username and a password or an API key.

Added support for obtaining secrets from Azure Key Vault

Fixed DS-43918 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSYnc

The Azure Key Vault cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Azure Key Vault passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service.

New global configuration properties to impose limits on the maximum number of attributes that can be present in an add request and the maximum number of modifications in a modify request

Fixed DS-43959, DS-44924 PingDirectory

These can be used to avoid potential denial of service attacks. Both limits are set to 1000 by default, which is likely to be adequate for all legitimate use cases, and neither property affects the number of values that can be provided for an attribute.

Fixed proxied authorization issue

Fixed DS-44081 PingDirectory

Addressed an issue where proxied authorization would fail in rare cases for usernames with 57 or 58 characters and DNs with 108 or 109 characters.

Fixed manage-profile replace-profile keystore files issue

Fixed DS-44280, DS-45027, DS-45037 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where manage-profile replace-profile did not correctly handle keystore files with a .bcfks extension while in FIPS-140-2-compliant mode.

Fixed View API Commands issue

Fixed DS-44329 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Resolved an issue where the View API Commands link appeared to be disabled in the administrative console.

Fixed silent replication failure

Fixed DS-44454 PingDirectory

Fixed an issue where non-DN modifications associated with a moddn change would silently fail to replicate.

Added new --performLocalCleanup argument to remove-defunct-server

Fixed DS-44495 PingDirectory

Added a new argument, --performLocalCleanup, to remove-defunct-server that simplifies the replication artifact cleanup process. To clean up replication artifacts on earlier releases of the Directory Server, run remove-defunct-server with no bind arguments while the server is offline.

Added a PKCS #11 cipher stream provider

Fixed DS-44519 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added a PKCS #11 cipher stream provider that can require access to a certificate in a PKCS #11 token to unlock the server’s encryption settings database. Only certificates with RSA key pairs can be used because Java virtual machines (JVMs) do not currently provide adequate key wrapping support for elliptic curve key pairs.

Server instances can now be safely mirrored to older servers in mixed-version topologies

Fixed DS-44577 PingDirectory

Server instances, which are within a mirrored subtree, can now be safely mirrored to older servers in mixed version topologies. This is done by adding the following to server instances: objectclass: extensibleObject.

Fixed an issue where secret keys under cn=Topology,cn=config could be lost when removing a server from the topology

Fixed DS-44591 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

When a server is removed with the dsreplication disable or remove-defunct-server tools, its secret keys are now distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, before this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Because this change only applies to the most recent version of remove-defunct-server and dsreplication disable, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication and remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it does not include this fix, and you might lose access to secret keys from servers that are removed from the topology.

Added PingData Administrative Console configuration capability

Fixed DS-44595 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

The PingData Administrative Console can now be configured to supply PINs to its trust stores through the oidc-trust-store-pin-passphrase-provider and trust-store-pin-passphrase-provider settings. This means trust store types that require passphrases (ex: PKCS12 or BCFKS) are now properly supported.

The PingData Administrative Console can now retrieve files created from collect-support-data or server-profile tasks

Fixed DS-44601 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

The PingData Administrative Console can now retrieve files created from collect-support-data or server-profile tasks when using single sign-on (SSO) to authenticate with the managed server.

Updated the file servlet

Fixed DS-44602 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Updated the file servlet to add support for token-based authentication using an OAuth 2.0 access token or an OpenID Connect ID token. The servlet previously only supported basic authentication.

Improved includePath argument validation performed by the manage-profile generate-profile tool

Fixed DS-44604 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

The tool will only use relative paths that exist below the server root, and it previously silently ignored absolute paths or relative paths that referenced files outside of the server root. It will now exit with an error if the includePath argument is used to provide an absolute path or a path outside the server root. It will accept but warn about paths that reference files that do not exist.

Fixed an issue that caused an internal root account to be subject to the server’s default password policy

Fixed DS-44623 PingDirectory, PingDirectoryProxy

Fixed an issue that caused an internal root account (used for processing certain types of internal operations) to be subject to the server’s default password policy. With some password policy configurations, if a DirectoryProxy Server attempted to perform an internal operation that targeted data in a backend Directory Server, that operation could have been incorrectly rejected.

Fixed symmetric keys issue

Fixed DS-44648 PingDirectory

Addressed an issue where symmetric keys were not being sanitized in the config-audit.log.

Updated the export-ldif tool

Fixed DS-44669 PingDirectory

Updated the export-ldif tool to always base64 encode values with any ASCII control characters. The LDIF specification in RFC 2849 only requires base64 encoding for the NUL, LF, and CR control characters, and those are the only control characters that were previously base64 encoded. However, the specification also permits base64 encoding for any type of character, and always base64 encoding all control characters is safer and reduces the chance for errors when working with values containing such characters.

Made several improvements to the ldap-diff tool

Fixed DS-44757 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

  • Added the ability to perform a byte-for-byte comparison of attribute values rather than using schema-based logical equivalence.

  • Added the ability to use a properties file to obtain default values for command-line arguments.

  • Improved the ability to use different TLS-related settings for the source and target servers.

  • Improved support for SASL authentication.

Updated the migrate-ldap-schema tool

Fixed DS-44758 PingDirectory

Updated the migrate-ldap-schema tool to provide more flexibility for TLS negotiation, support for SASL authentication, support for using a properties file, and better validation for migrated attribute type and object class definitions.

Fixed a remove-defunct-server issue

Fixed DS-44793 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Fixed an issue in which remove-defunct-server would remove attributes from config.ldif if they were identical apart from case.

Improved performance for modify operations

Fixed DS-44884 PingDirectory

Improved performance for modify operations that need to insert an entry ID into the middle of a very large composite index ID set.

Addressed a connection error in remove-defunct-server

Fixed DS-44892 PingDirectory

Addressed a connection error in remove-defunct-server when the tool tried to migrate secret keys on a single-instance topology (in other words, a server that is not part of a replication topology). The tool now only moves secret keys if the server is part of a topology.

Fixed an error when backing up an encrypted backend

Fixed DS-44904 PingDirectory

Fixed a race condition that could sporadically cause an error when backing up an encrypted backend.

Addressed an issue where simple binds on entries

Fixed DS-44931 PingDirectory

Addressed an issue where simple binds on entries without passwords would not update the relevant password policy attributes, such as ds-pwp-auth-failure.

Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites

Fixed DS-44940 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites that will be used for outbound connections, as well as properties for controlling whether to enable TLS cipher suites that rely on the SHA-1 digest algorithm or the RSA key exchange algorithm.

Fixed an issue in which the server might not use appropriate resource limit values

Fixed DS-44942 PingDirectory, PingDirectoryProxy

Fixed an issue in which the server might not use appropriate resource limit values for accounts that bind with pass-through authentication. In such cases, the server might apply size limit, time limit, idle time limit, and other constraints from the global configuration instead of alternative values for those limits set in the user entry.

Fixed server hang issues

Fixed DS-45032 PingDirectory

  • Addressed an issue that caused remove-defunct-server to hang.

  • Addressed an issue that caused remove-defunct-server to hang when performing replication artifact cleanup in non-interactive mode.

For the initilaze-all dsreplication subcommand avoid closing connections to remote servers multiple times

Fixed DS-45038 PingDirectory

For the initilaze-all dsreplication subcommand avoid closing connections to remote servers multiple times in order to apply the new generation ID.

Added support for Eclipse Foundation JDKs

Fixed DS-45039 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added support for the use of Java Development Kits (JDKs) obtained through Eclipse Foundation.

Fixed an issue where explicit createTimestamp values are replicated to peer servers

Fixed DS-45056 PingDirectory

Fixed an issue where explicit createTimestamp values are replicated to peer servers using a default timestamp format rather than the non-default format value stored on the first server.

Updated the mirror virtual attribute provider to include an option to bypass access control evaluation for the internal searches that it performs

Fixed DS-45060 PingDirectory

This might allow the virtual attribute to provide values from another entry even if the requester would not otherwise have permission to access those values.

Fixed a Ping Directory Server performance issue involving high CPU usage

Fixed DS-45115 PingDirectory

Fixed a Ping Directory Server performance issue involving high CPU usage when writing LDAP data to certain clients using TLSv1.3 connection security.

Removed -XX:RefDiscoveryPolicy=1 from the default start-server Java arguments

Fixed DS-45124 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

In rare cases, this argument was related to segmentation faults in the JVM, especially when used with the G1 garbage collector.

Fixed a composed attribute plugin issue

Fixed DS-45153 PingDirectory

Fixed an issue that prevented the composed attribute plugin from working for operations that are part of a multi-update request.

Fixed an issue where a server with a newly initialized database could go into lockdown mode

Fixed DS-45154 PingDirectory

Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server might have missed one or more updates. This generally occurred only if the initialized server was restarted right after initialization completed.

Changed default tab in the administrative console

Fixed DS-45160 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Changed the default tab in the administrative console to Modify when updating an existing server resource with new changes

Added support for new extended operations

Fixed DS-45162 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added support for new extended operations to help manage the server’s listener and inter-server certificates. Updated the replace-certificate tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.

Added support for BellSoft JDKS

Fixed DS-45190 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added support for the use of JDKs obtained through BellSoft.

Improved performance of server encryption

Fixed DS-45203 PingDirectory

Resolved a performance issue that could cause servers installed using a server encryption option to spend several minutes waiting in the Initializing Crypto Manager phase during server startup.

Added a scroll bar to the administrative console’s Server list

Fixed DS-45284 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync

Added a scroll bar to the administrative console’s Server list to ensure all servers are accessible regardless of screen size.

Updated the entry counter, hash DN, and round robin placement algorithms

Fixed DS-44678 PingDirectoryProxy

Updated the entry counter, hash DN, and round robin placement algorithms to make it possible to exclude specified backend sets from consideration when adding new entries to an entry-balanced topology.

Improved server logic

Fixed DS-44798 PingDirectoryProxy

Improved the logic the server uses to select the best result to return to the client when an operation fails in an entry-balanced topology after the request was broadcast to all backend sets. In some cases, the server could have incorrectly returned a result from a backend set in which the target entry did not exist instead of a more appropriate result from the backend set that did contain the entry.

Fixed dashboard icon issue

Fixed DS-44224 PingDataMetrics

Addressed an issue where icons on the dashboards were not properly displayed.

Synchronize from Active Directory attribute lockoutTime source systems to PingDirectory attribute pwdAccountLockedTime

Fixed DS-44513 PingDataSync

Because pwdAccountLockedTime cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdAccountLockedTimeFromAD to pwdAccountLockedTime.

Added direct attribute mapping that maps from ds-pwp-account-disabled-from-ad to ds-pwp-account-disabled

Fixed DS-44636 PingDataSync

Synchronize from Active Directory userAccountControl bit indicating that the account is disabled (bit #2) (or msDS-UserAccountDisabled on AD-LDS) to PingDirectory attribute ds-pwp-account-disable. Because ds-pwp-account-disabled cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from ds-pwp-account-disabled-from-ad to ds-pwp-account-disabled.

Added direct attribute mapping that maps from pwdChangedTimeFromAD to pwdChangedTime

Fixed DS-44660 PingDataSync

Synchronize from Active Directory attribute pwdLastSet with the password changed time to PingDirectory attribute pwdChangedTime. Because pwdChangedTime can not be written to directly an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdChangedTimeFromAD to pwdChangedTime.

Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes

Fixed DS-44922 PingDataSync

Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes with the same base name but with different option tags, and any of these attributes having more values in the source entry than the replace-all-attr-values-limit for the Sync class.

Fixed an issue where PingDataSync was not syncing entries to PingOne environments

Fixed DS-45134 PingDataSync

Addressed an issue where PingDataSync was not syncing entries to PingOne environments because of rate-limiting responses from PingOne.

Fixed a max-rate-per-second configuration setting

Fixed DS-45138 PingDataSync

Addressed an issue where the max-rate-per-second configuration setting was not being applied to the resync tool.

Delegated Admin 4.9 (March 2022)

Managing accounts now includes the ability to unlock accounts

Improved Delegated Admin

Previously, the only way to unlock an account was for an administrator to reset the password. Now, delegated administrative users can directly unlock an account without resetting the password. For more information, see Unlocking user accounts.

The initiate password reset option does not unlock accounts.

Resource types can now have custom names assigned for Members and Nonmembers columns

Improved Delegated Admin

This option is available for the Groups, Users, and Generic rest resource types.

For more information, see Manage groups.

The grant type is now set to Authorization Code with PKCE

Improved Delegated Admin

Earlier versions of Delegated Admin have used the Implicit grant type as the default OpenID Connect (OIDC) grant type. Because the Implicit grant type can leak access tokens, it is no longer recommended for use. In new installations of Delegated Admin, the grant type is set to Authorization Code with PKCE. To change your default OIDC grant type to Authorization Code with PKCE in existing installations of Delegated Admin, see Changing the default OIDC grant type.

For more information on the Implicit grant type, see OAuth 2.0 Implicit Grant.

dadmin-account-locked is not available for filtering

Issue Delegated Admin

Because the account locked state, dadmin-account-locked, is not a true attribute, it is not available for filtering in reporting.

No resources displayed for a correlated resource type

Issue Delegated Admin

If a resource is linked to more correlated resources than the correlated resource type’s search limit, then no resources will be displayed for that correlated resource type. To view the resources for that correlated resource type, increase the correlated resource type’s search limit.

Fixed error message issue

Fixed DS-40723 Delegated Admin

Fixed an issue where an error message was not displayed when password generation was unsuccessful.

Fixed multi-valued attribute deletion error

Fixed DS-45075 Delegated Admin

Fixed an issue that prevented the first value in a multi-valued attribute from being deleted.

Updated the warning banner for configuration errors

Fixed DS-45079 Delegated Admin

Updated the warning banner for configuration errors to only display for the first 10 seconds after signing in to Delegated Admin.

Added the ds-pwp-modifiable-state-json attribute

Fixed DS-45448 Delegated Admin

Added the ds-pwp-modifiable-state-json attribute to user resource types automatically.

Fixed a user password policy issue

Fixed DS-45502 Delegated Admin

Fixed an issue in which a user’s password policy was not being used to generate new passwords for the user.

Previous Releases

For information about enhancements and issues resolved in previous major and minor releases of PingData products, follow the links below to their release notes: