Release Notes
Unless otherwise noted, all of the following enhancements, known issues, and resolved issues apply to the PingDirectory server, the PingDataSync server, the PingDirectoryProxy server, and the PingDataMetrics server. Updated August 30, 2024.
PingDirectory suite of products 9.3.0.7 (November 2024)
Made it easier to upgrade replicated servers to version 9.3.0.7 or later
Improved DS-48798, DS-49090 PingDirectory
When upgrading a pre-9.2 PingDirectory server in a replicated topology to version 9.3.0.7 or later, the update
tool will automatically set replication-purge-obsolete-replicas
to false
for that server, if not already explicitly configured.
This change helps avoid unintended consequences when upgrading a pre-9.2 replicated server because the replication-purge-obsolete-replicas
configuration property has a value of true
by default in version 9.2.
After upgrade, the update tool also displays a message with more information:
In the 9.2.0.0 release, the implicit default value for the 'replication-purge-obsolete-replicas' global configuration property changed from 'false' to 'true'. However, it should generally only be set to true if all servers in the topology are at version 9.2.0.0 or later. Because this server is being updated from a pre-9.2.0.0 version, it is possible that there are still other pre-9.2.0.0 servers in the topology. As such, the 'replication-purge-obsolete-replicas' property will be explicitly set to false for this server if it was not explicitly set. Once you have completed the upgrade across all servers in the topology so that there are no more pre-9.2.0.0 replicas, consider manually setting this property to 'true' on all servers.
Fixed a config-diff
error
Fixed DS-49071 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where config-diff
would result in an Unknown property
error when comparing configuration objects of different types.
Removed the restart prompt when changing a certificate alias
Fixed DS-45174 PingDirectory, PingDirectoryProxy, PingDataSync
Removed the prompt to restart the LDAP connection handler component after changing the ssl-cert-nickname
configuration property because a restart isn’t required.
Removed suppression messages for disabled alerts
Fixed DS-49119 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where alert types that were disabled would still output suppression messages.
Fixed an issue with attribute value types in proxy transformations
Fixed DS-48958 PingDirectoryProxy
Updated the attribute mapping proxy transformation to require that both the source and target attribute types are defined in the local schema. This fix ensures that the server correctly handles those attribute values (for example, when identifying value types and formatting values for return in REST API responses).
The server now prevents you from adding a new attribute mapping proxy transformation if either of the attribute types isn’t defined in the schema. If any existing transformations of this kind reference attributes whose types aren’t defined in the schema, the server logs a warning message on startup.
PingDirectory suite of products 9.3.0.6 (August 2024)
Increased replication speed
Improved DS-48826 PingDirectory
Increased throughput for replicated operations.
Fixed an issue with syncing modified PingOne attributes
Fixed DS-48669 PingDataSync
Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only
resulted in changed attributes not being properly synced over.
Supplied missing replication error information
Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where dsreplication enable
didn’t print error information if the tool failed to establish a connection to a source or target server.
Fixed an error message in the Delegated Admin report
Fixed DS-48774 PingDirectory, PingDirectoryProxy
Removed a stack trace from the error message returned when generating a Delegated Admin report with an invalid SCIM filter.
Fixed an issue with inconsistent entryUUID
values across servers
Fixed DS-48678, DS-48720 PingDirectory
Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID
values for the same entry on different servers.
Fixed an issue with VLV indexes and extensible match filters
Fixed DS-48026 PingDirectory
Fixed an issue that could prevent the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch
or relativeTimeExtensibleMatch
matching rules.
PingDirectory suite of products 9.3.0.5 (March 2024)
Added logging history for the setup
tool
Improved DS-47831 PingDirectory
A copy of the setup
script output is now saved to an archive file in the /history
directory. This should help with troubleshooting installations where multiple server images have been extracted on top of each other and setup
has been run multiple times.
Fixed a NullPointerException
caused by an unconfigured alert handler
Fixed DS-47455 PingDirectory, PingDirectoryProxy, PingDataSync, PingDataMetrics
Fixed an issue where a NullPointerException
was thrown when an alert or alarm was raised and one or more of the alert handlers weren’t configured. This most commonly happened when the server was being stopped.
Now, instead of throwing a NullPointerException
, the server logs this message: Alert notification '<notification>' will not be processed by alert handler '<alert_handler>' since that alert handler does not have configuration.
Fixed an encoding issue with UTF-8 in URI search filters
Fixed DS-48300 PingDirectory, PingDataSync
Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.
Fixed an issue with attribute duplication
Fixed DS-48585 PingDirectory
Fixed an issue where replace operations that target attributes with subordinate types would cause the subordinate attribute values to be duplicated.
Fixed an issue where the server could throw a DATABASE_LOCK_CONFLICT
error
Fixed DS-45949 PingDirectory
Fixed an issue where aborting a transaction on a PingDirectory server could sometimes fail to release a write-lock, causing all subsequent transactions to fail with the error DATABASE_LOCK_CONFLICT
until the server was restarted.
Fixed a potential NullPointerException
during replication
Fixed DS-47289 PingDirectory
Fixed a potential NullPointerException
that the server could throw during replication if missing changes were found for a replica, but that replica didn’t exist on all servers. This scenario can happen when an obsolete replica is purged concurrent to the check for missing changes.
Fixed a replication issue where a suffix could have multiple generation IDs
Fixed DS-47695 PingDirectory
The generation ID, represented by ds-sync-generation-id
, is a value used by replication to determine if replicas are compatible and can be replicated. To address the issue of multiple generation IDs for the same suffix, the generation ID is now calculated independent of the disk order in which the entries are stored. This new behavior is helpful when entries are imported on new servers instead of initializing them.
Fixed an issue with dsreplication status
information
Fixed DS-47326 PingDirectory
Fixed an issue where running the dsreplication status
--displayservertable
command sometimes failed to display peer server statuses or generation IDs.
Fixed the default behavior of check-replication-domains
Fixed DS-47655 PingDirectory
Changed the check-replication-domains
tool to default to the server’s root directory and removed the --serverRoot
argument requirement.
Fixed an incorrect suggestion in the replication terminal output
Fixed DS-47878 PingDirectory
Fixed a problem where dsreplication initialize
suggested using the --force
option if you were unable to connect to the server properly.
Fixed an issue that prevented use of the Changelog Password Encryption plugin in replicated environments
Fixed DS-48205 PingDirectory
Fixed an issue where the Changelog Password Encryption plugin would not work properly in a replicated environment if a password was changed with a Password Modify extended operation.
PingDirectory suite of products 9.3.0.4 (January 2024)
Fixed a memory issue introduced in 9.3.0.2 that could have caused the server to crash
Fixed DS-48599 PingDirectory
We fixed an uncommon issue that was causing memory usage to spike, possibly crashing the PingDirectory server.
With this issue present, when clients performed atypical modify
operations, they might have populated entries with duplicate attribute values. If clients repeated these modifications, over time, the duplicate attribute values could have caused the server to consume a substantial amount of memory, which might have eventually caused the server to shut down with an out-of-memory error.
PingDirectory suite of products 9.3.0.3 (November 2023)
Faster server backup and recovery
Improved DS-45157 PingDirectory
We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.
PingDirectory suite of products 9.3.0.2 (October 2023)
Fixed an issue with replace modifications
Fixed DS-47975 PingDirectory
Fixed an issue that could prevent replace modifications for attribute types with subordinate types (for example, postalAddress
) from being properly applied.
Fixed an issue that affects password policies stored outside the server configuration
Fixed DS-43034, DS-47832 PingDirectory
Fixed a regression that was introduced in the 9.3.0.0 release while making changes to allow additional values for the allow-pre-encoded-passwords
property in the password policy configuration. The issue only affects password policies stored outside of the server configuration in local DB backends, and only those policies that include the ds-cfg-allow-pre-encoded-passwords
attribute.
As part of the change to allow additional values for the allow-pre-encoded-passwords
configuration property, we changed the syntax for the underlying attribute type from Boolean to directory string. When storing values for Boolean attributes in entries that reside in local DB backends, the server may compact the value to reduce the amount of space to store the data on disk and in memory. When the syntax for the attribute type was changed, the server no longer recognized that the value was compacted, which prevented it from properly interpreting that value.
This fix allows the server to recognize and properly interpret compacted values for the ds-cfg-allow-pre-encoded-passwords
attribute when parsing a password policy definition contained in a local DB backend. Note that when the password policy entry is retrieved, the attribute may still appear to have a corrupt value, as the value that is actually stored in the entry would still represent the compacted token rather than the logically equivalent Boolean value. Replacing the value of the ds-cfg-allow-pre-encoded-passwords
attribute in affected entries with the appropriate value is the best way to address that.
Made improvements to the Configuration API
Fixed DS-47790 PingDirectory
The Configuration API no longer treats patch operations with empty arrays as invalid. Instead, it now resets configuration attributes for replace operations with an empty array and ignores add operations with an empty array.
Fixed an issue with the remove-defunct-server
command
Fixed DS-47784 PingDirectory
Fixed an issue with running remove-defunct-server
against servers configured with an AES256 password storage scheme where encryption settings were not initialized before initializing password policy components.
Fixed an issue with processing search operations
Fixed DS-47585 PingDirectory
Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. Previously, the server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys (for example, when evaluating a range or substring filter component that could match a very large number of entries), the allowed time limit could be exceeded in that portion of the processing.
Fixed an issue that caused a null pointer exception to be thrown
Fixed DS-45527 PingDataSync
Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server
.
Improved Active Directory Sync sources
Improved DS-46635 PingDataSync
For Active Directory Sync sources, when setting the startpoint to the end-of-changelog
, extraneous data is no longer sent from the Active Directory server to the Sync server. With this change, setting the startpoint to end-of-changelog
should be faster, particularly for slow networks.
Fixed an issue when enabling or disabling a user in PingOne
Fixed DS-47905 PingDataSync
Resolved an issue with synchronizing the enabled
attribute of a user in a PingOne destination. This issue only occurred when attempting to enable or disable a user in PingOne from the source server.
To create an attribute mapping that will modify the enabled
status of a user in PingOne, use the dsconfig
tool to create a constructed attribute mapping of the following form. This will ensure that enabled
will always have a well-defined value, even if the source attribute is not present on an entry in the source server.
dsconfig create-attribute-mapping --type constructed --map-name mapName --mapping-name enabled --set conditional-value-pattern:'(sourceAttribute=*) : {sourceAttribute}' --set conditional-value-pattern:'(!(sourceAttribute=*)) : true'
PingDirectory suite of products 9.3.0.1 (August 2023)
Fixed a security issue
Security DS-47632 PingDirectory
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported versions of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.
PingDirectory suite of products 9.3.0.0 (June 2023)
What’s new in the PingDirectory 9.3 suite of products?
New DS-46779
- PingDirectory
-
-
When dealing with server security, some customers require the ability to separate control of encryption settings from the typical directory administrator. In this release, several features have to added to restrict and/or revoking access to the encryption settings configuration with the ability to lock the encryption settings database with a password and by using a new monitor provider for the cipher stream provider itself. Several restrictions can be configured including the ability to prevent turning off data encryption, preventing changes to the cipher stream provider, preventing exportation of the encryption settings database and preventing access to the encrypt-file tool to decrypt files. Also, administrators can now set up a new PingDirectory instance with a pre-existing encryption settings database using the manage-profile command.
-
PingDirectory has previously allowed user entries to authenticate via pass-thru authentication to other systems such as Active Directory or PingOne. There has been a limit, however, to just one pass-thru authentication plugin. A new aggregate pass-thru authentication handler has been added to version 9.3 allowing for multiple, subordinate authentication plugins each with their own criteria to identify authentication requests to be processed. The configuration order will be used to determine the priority of the plugins. Different failure types can be configured that allow a failure in one subordinate handler to continue process in another handler.
-
PingDirectory provides several application interfaces (APIs) for creating efficient and powerful client applications for managing the data store. The Directory REST API has been enhanced to support specific LDAP extended operations. These include the Password Modify, Generate Password and Get Password Quality Requirements extended operations. Since JSON-format controls were recently supported in Directory REST API, all supported controls can be implemented with these extended operations as well. The Change Password extended operation allows user to modify their own password or another user’s (with proper permissions, of course). The Suggest Password extended operation will generate a list of potential passwords and provides details on if they would be valid under certain policies and the Password Requirements extended operation returns a comprehensive list of password quality requirements for a given user/policy if a certain operation is performed.
-
Several improvements to the
dsreplication
command will increase the performance when enabling replication and for retrieving the current status of the topology.
-
- PingDataSync
-
The configuration of sync pipes continues to be a sticking point for customers as the process can be quite difficult. Currently these are created using dsconfig, the admin console or the configuration API. There are OOTB dsconfig script files provided for creating a PingOne source and/or destination server. New OOTB scripts and documentation have been created specifically for bi-directional syncs between Active Directory and PingDirectory, a reference script for syncing from Active Directory to SCIMv2 and when using Kafka as a sync destination. These scripts include the necessary steps and documentation detailing how to customize these steps for a customer’s environment.
Added the cache-duration
property
Critical DS-47166 PingDirectory
Added property cache-duration
to allow optional caching of key managers retrieved by a PKCS11 Key Manager Provider.
Added additional values for the allow-pre-encoded-passwords
property
New DS-43034 PingDirectory
Added support for additional values for the allow-pre-encoded-passwords
property in the password policy configuration. Previously, the value for this property could be either "false" or "true," but it can now be any of the following:
-
false
: Do not allow pre-encoded passwords to be provided in add requests, self password changes, or administrative password resets. This remains the default setting, and the behavior with this value remains the same. -
true
: Allow pre-encoded passwords to be provided in add requests, self password changes, or administrative password resets. The behavior with this value remains the same. -
add-only
: Allow pre-encoded passwords to be provided in add requests, but not in self password changes or administrative password resets. -
admin-reset-only
: Allow pre-encoded passwords to be provided in administrative password resets, but not in add requests or self password changes. -
add-and-admin-reset-only
: Allow pre-encoded passwords to be provided in add requests or administrative password resets, but not in self password changes.
The new values can be used to allow administrators to set pre-encoded passwords without allowing end users to do so for their own accounts. Allowing pre-encoded passwords for self password changes introduces the potential for several security risks, including permitting users to password validation, password expiration, and password history constraints; permitting users to use weakly encoded passwords; or allowing users to use passwords that are encoded so strongly that it could cause excessive resource consumption in the server.
Added account status notification types
New DS-43714, DS-46355 PingDirectory
Added an account-authenticated
account status notification type that can be used to notify users or administrators when an account has successfully authenticated with a bind request that matches a specified set of criteria.
Added an account-deleted
account status notification type that can be used to notify users or administrators when an account has been removed with a delete request that matches a specified set of criteria.
Added support for a successful bind result criteria that can be used to classify successful bind operations based on the resulting authentication identity.
Added a UTF-8 password validator
New DS-44536 PingDirectory
Added a UTF-8 password validator that can be used to ensure that only valid UTF-8 strings can be used as passwords. Passwords can optionally be limited to only ASCII characters, and you can specify which Unicode character classes (for example, letters, numbers, punctuation, symbols, spaces, etc.) should be allowed.
Added the --showPartialBacklog
option to dsreplication status
New DS-44898 PingDirectory
Added the --showPartialBacklog
option to dsreplication status
to display information about the replica-partial-backlog
attribute.
Added configuration properties to the Config File Handler backend
New DS-45254, DS-47110, DS-47401
Added the configuration property insignificant-config-archive-base-dn
to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under the specified base DN(s).
If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration will be added to the configuration archive, but that archived configuration file can be removed after the next configuration change.
By default, this property will apply to the topology registry subtree.
Added pass-through authentication handlers
New DS-45263 PingDirectory
Added an aggregate pass-through authentication handler that makes it possible to have multiple types of pass-through authentication enabled in the server at the same time.
Added a PingOne pass-through authentication handler that can be used to authenticate to the PingOne service. This handler provides the same functionality as the standalone PingOne pass-through authentication plugin, but it can be used with the aggregate pass-through authentication handler to support pass-through authentication to PingOne in conjunction with other types of services.
Added a replication-missing-changes-risk
alert
New DS-46198 PingDirectory
A replication-missing-changes-risk
alert is now raised during replication server connections if the backlog is within a configurable percent of the purge delay. By default, the new missing-changes-alert-threshold-percent
replication server configuration parameter is set to 80%.
Added new properties to the Config File Handler Backend
New DS-46334 PingDirectory, PingDirectoryProxy, PingDataSync
Added two new properties to the Config File Handler Backend for managing the config archive and limiting its impact on server performance.
The first property is maintain-config-archive
, which controls whether or not changes to the config backend are recorded in the config archive. Existing records in the archive are unaffected by changes to this property.
The second property is max-config-archive-size
, which limits the number of config files that will be maintained by the archive. When a new file is added to the archive, if the resulting number of files exceeds the value of this property, then the oldest files will be deleted from the archive until the total is equal to the configured value.
Added a property that lets you control servlet information
New DS-46565
Added the include-servlet-information-in-error-pages
configuration property to give you control over whether servlet information gets printed on HTTP error pages or remains hidden (by default).
Added support for encrypted PKCS #8 private key PEM files
New DS-46654 PingDirectory, PingDirectoryProxy, PingDataSync
When setting up the server with a private key read from a PEM file, or when using manage-certificates to import a certificate chain and private key from PEM files, that private key PEM file can now contain an encrypted private key, and you can specify the password needed to decrypt it. When using manage-certificates to export a private key, you can now specify a password to use to encrypt the key.
Added caching logic
New DS-46664 PingDirectory
Addressed a performance issue when adding new directory servers to large replicated topologies spanning multiple geographic locations.
Added support for syncing booean-valued attributes
New DS-46826 PingDataSync
Added support for syncing Boolean-valued attributes for PingOne destinations.
Added support for restricting administrators' access to encrypted data
New DS-46908, DS-46911, DS-46912, DS-46913, DS-46931, DS-46933, DS-46934, DS-46936, DS-46937
Updated the server to support a separation of duties between those responsible for administering the server itself and those responsible for managing the encryption settings definitions used for data encryption. This is implemented through a combination of four new capabilities that were added:
-
The ability to configure data encryption restrictions that can impose limitations around the administration of data encryption and access to decrypted data, including the ability to disable encryption, to change the cipher stream provider used to protect the encryption settings database, the ability to create backups or LDIF exports that are unencrypted or encrypted with a passphrase instead of an encryption settings definition, and the ability to use the encrypt-file tool to decrypt files.
-
The ability to freeze the encryption settings database with a specified password. While it is frozen, the encryption settings database will operate in read-only mode so that it is not possible to create or remove definitions, change the preferred definition, or alter the set of active data encryption restrictions. The database can only be unfrozen with the password that was initially used to freeze it.
-
The ability to set up the server with a pre-existing encryption settings database. This is best done with the manage-profile setup command using a server profile that uses
--encryptDataWithPreExistingEncryptionSettingsDatabase
in thesetup-arguments.txt
file, that includes one or more batch files in thepre-setup-dsconfig
directory with changes to configure and active the associated cipher stream provider, and that includes the encryption settings database and any metadata files needed by the cipher stream provider in the appropriate locations below theserver-root/pre-setup
directory. -
Support for a new monitor provider that can periodically ensure that the encryption settings database can be read without relying on any caching that the cipher stream provider might be using to improve performance and reliability. After a prolonged outage, it can also optionally shut down the server or force it into lockdown mode as a way of preventing or limiting access to encrypted data. This can be used as a way of revoking access to encrypted data in the event that those responsible for managing encryption settings definitions deem it necessary by removing or disabling an external element (for example, an external KMS encryption key or a secret read from a password vault) that the cipher stream provider depends on for access to the encryption settings database.
Added a disallowed characters password validator
New DS-47262 PingDirectory
The validator can be used to reject proposed passwords that contain any of a specified set of characters. It can be configured with characters that cannot appear anywhere in a password, as well as with characters that are disallowed only at the beginning or end of a password.
Added a replication-not-purging-obsolete-replicas
alert
New DS-47366 PingDirectory
A replication-not-purging-obsolete-replicas
alert will be raised at server startup if a replication server is not configured to purge obsolete replicas. It is recommended that replication servers always be configured to do so.
Added a check-replication-domains
tool
New DS-47373 PingDirectory
Added a check-replication-domains
tool to check the current list of known replication domains and indicate whether any obsolete domains are present. Learn more about Discovering obsolete replicas.
Improved error handling for LDAP external servers
Improved DS-43614 PingDirectoryProxy
Improved error handling for LDAP external servers that are configured with an authorization-method value of rebind. If the bind attempt fails in a way that indicates that the connection is no longer valid, the PingDirectoryProxy server might now attempt the rebind in a different server or on a newly recreated connection.
Updated the collect-support-data
administrative task
Improved DS-44534
Updated the collect-support-data
administrative task to allow specifying the start and end times for the range of log messages to include in the support data archive.
Updated the LDAP connection handler
Improved DS-45221
Updated the LDAP connection handler so that changes to the set of enabled TLS protocols and cipher suites take effect immediately and will be used for any new LDAPS or LDAP+StartTLS connections that are established after the change is made. This applies for changes made directly in the connection handler configuration, and if the connection handler is not configured with an explicit set of TLS protocols or cipher suites, then it also applies to changes made in the crypto manager configuration.
A restart is still required to apply TLS protocol or cipher suite changes to other types of connection handlers, as well as for replication.
Updated the modifiable password policy state plugin
Improved DS-45506 PingDirectory
Updated the modifiable password policy state plugin to allow the ds-pwp-modifiable-state-json
attribute to be included in add requests for the purpose of specifying certain elements of the new account’s password policy state.
Updated setup to encrypt the tools.pin
file in certain situations
Improved DS-46379
Updated setup so that if it is configured to write a tools.pin
file containing the default bind password to supply when running command-line tools, and if it is also configured to enable data encryption in the server, then it will encrypt the contents of that tools.pin
file.
Improved how a backup of the config backend is handled
Improved DS-46467
If during a backup of the config backend, a file is deleted from the config/archived-configs
directory, that deleted file will now be ignored instead of causing the backup to fail.
Improved password modify extended requests
Improved DS-46487 PingDirectory
Updated the server to allow password modify extended requests to include a proxied authorization request control.
Updated the pass-through authentication handler
Improved DS-46511 PingDirectory
Updated the pass-through authentication handler configuration to make it possible to configure each handler with an optional set of connection criteria, request criteria, and included local entry base DNs. When using the aggregate pass-through authentication handler, this makes it easier to indicate which handler should be used for a given bind operation.
Updated the replace-certificate
tool
Improved DS-46653 PingDirectory
Updated the replace-certificate
tool to support obtaining the source certificate chain and private key from PEM-formatted or DER-formatted files when replacing a listener or inter-server certificate. This is an alternative to requiring the new certificate to be provided in a key store.
Updated the Directory REST API with a new method for changing passwords
Improved DS-46816 PingDirectory
Updated the Directory REST API to add support for a means of changing passwords that is analogous to the LDAP password modify extended operation.
Updated the Directory REST API to suggest user passwords
Improved DS-46818 PingDirectory
Updated the Directory REST API to add support for a means of suggesting one or more new passwords for a user. This is analogous to the LDAP generate password extended operation.
Updated the Directory REST API for obtaining password quality requirements
Improved DS-46823 PingDirectory
Updated the Directory REST API to add support for a means of getting the requirements that a password will be required to satisfy for an add, self password modify, or administrative password reset operation. This is analogous to the LDAP get password quality requirements extended operation.
Improved the response time of dsreplication enable
command
Improved DS-46906 PingDirectory
Improved the response time of dsreplication enable
command on large topologies with more than 20 servers.
Improved data encryption
Improved DS-46908, DS-46911, DS-46912, DS-46913, DS-46931, DS-46933, DS-46934, DS-46936, DS-46937
The following data encryption improvements were made:
-
We updated the encryption-settings create command to make it possible to specify the PBKDF2 iteration count that should be used when deriving the encryption key for the definition.
-
We updated most cipher stream providers to make it possible to specify the PBKDF2 iteration count that should be used when deriving the encryption key used to protect the encryption settings database, and to use a higher default value.
-
We updated the file-based cipher stream provider to support being configured with a metadata file that allows it to use stronger encryption for protecting the encryption settings database than when no metadata file is configured. A metadata file will automatically be configured when enabling data encryption during setup when not using a pre-existing encryption settings database.
-
We improved encryption strength for encryption settings exports, backups, LDIF exports, log files and other file encryption, preferring 256-bit AES over 128-bit when available, and using a higher PBKDF2 iteration count to derive the key.
-
We improved file encryption performance in the common case of using an encryption settings definition instead of a passphrase.
-
We updated the encryption settings backend to provide additional information about each encryption settings definition, and updated the base entry for that backend to indicate if the encryption settings database is frozen or configured with any data encryption restrictions.
Improved performance of dsreplication
command
Improved DS-47083, DS-47084 PingDirectory
Improved performance of dsreplication
commands in topologies with a large number of PingDirectory servers and/or high network latency.
Improved dsreplication
command response time
Improved DS-47104 PingDirectory
Improved response time of dsreplication
command.
Improved various timeouts for replication enable and remove defunct server operations
Improved DS-47144 PingDirectory, PingDirectoryProxy, PingDataSync
Improved various timeouts for replication enable and remove defunct server operations to scale with the size of the topology. Smaller sized topologies should not be impacted by these changes.
Updated the server’s behavior when authenticating a client connection
Improved DS-47155 PingDirectory, PingDirectoryProxy
Updated the server’s behavior when it is configured to attempt to automatically authenticate a client connection using a certificate chain presented during TLS negotiation. Previously, if the client presented a certificate chain that could not be used to successfully authenticate the client, the server would have allowed the connection to remain established in an unauthenticated state, which could cause problems with applications that expect the connection to be authenticated. It will now terminate the client connection and log a disconnect message with details about the authentication failure.
Improved the server’s support for UTF-8 password strings
Improved DS-47167 PingDirectory
Improved the server’s support for passwords provided as UTF-8 strings containing non-ASCII characters with multiple Unicode representations. Previously, bind attempts with such a password would only succeed if the request included the password with exactly the same sequence of bytes used at the time the password was set. Now, the bind might also be able to succeed when the provided password contains the same logical set of characters but using a different Unicode normalization form.
Updated replace-certificate replace-inter-server-certificate
Improved DS-47345
Updated replace-certificate replace-inter-server-certificate to prevent using a certificate with an RSA key size greater than 3072 bits. It previously only required a minimum key size of 2048 bits without imposing a maximum size limit, but some of the cryptographic processing performed during inter-server authentication fails when using certificates with key sizes larger than 3072 bits.
Fixed an issue with updating password policy state information
Fixed DS-47440 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue that could interfere with the server’s ability to update password policy state information while processing a bind operation using pass-through authentication.
For service accounts that use password storage schemes with high computational processing costs, such as PBKDF2, the server could process bind requests significantly slower. You should create a separate password policy for your service account, choose a less process-intensive password storage scheme, such as SSHA256, and set a very strong password according to NIST guidelines. Learn more in the Upgrade considerations. |
Fixed an issue in the pluggable pass-through authentication plugin
Fixed DS-46544 PingDirectory
Fixed an issue in the pluggable pass-through authentication plugin that could prevent it from continuing with a local bind attempt if try-local-bind is false but the configured handler reports that the target user does not exist in the external service.
Fixed an issue when processing a modify operation
Fixed DS-45335 PingDirectory
Fixed an issue that could arise when processing a modify operation that contains a replace modification in which the attribute description has an attribute type and does not have any attribute options. If the target entry contained any attributes with the same attribute type but that also had one or more attribute options, then those attributes would have been incorrectly removed from the entry.
Fixed the server’s handling for subtree searches
Fixed DS-46178 PingDirectory
Fixed an issue with the server’s handling for subtree searches with an empty base DN. The server correctly returned entries from top-level backends (that is, backends whose base DNs were server naming contexts) but failed to return entries from subordinate backends.
Fixed an issue that prevented search result entry messages from being logged
Fixed DS-46656 PingDirectoryProxy
Fixed an issue that prevented search result entry messages from being logged for operations passing through the PingDirectoryProxy server.
Fixed an issue with IntraSync User operational attributes
Fixed DS-46695 PingDataSync
Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile
subcommand.
Fixed an issue with permit-export-reverable-passwords
Fixed DS-46810 PingDirectory
Fixed an issue that prevented including permit-export-reversible-passwords in the set of privileges that can be automatically inherited by root users and topology administrators.
Fixed an issue with passwords within minAge
Fixed DS-46882 PingDirectory
Fixed an issue where attempting to change a password that’s within the minAge
now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.
Fixed an issue with the manage-profile --setup
script
Fixed DS-46892 PingDirectory
Fixed an issue where the manage-profile --setup
script did not correctly find the necessary paths.
Fixed an issue with expired passwords and remaining grace logins
Fixed DS-46945 PingDirectory
Fixed an issue that prevented a user with an expired password but one or more remaining grace logins from being allowed to change their own password on a request that was authorized with the proxied authorization request control.
Fixed an issue with normalized search substrings
Fixed DS-46946 PingDirectory
Fixed an issue where normalized search substrings that were empty matched everything instead of nothing.
Fixed an issue with unindexed searches
Fixed DS-47061 PingDirectory
Fixed an issue that could prevent certain unindexed searches from returning all matching entries in the scope of the search. If a backend is configured with compact-common-parent-dn
values that are at least two levels below the backend’s base DN, then searches based below the backend base DN but above a compact-common-parent-dn
value could have excluded entries from subtrees for which compaction had been configured. This issue has been fixed, but because it caused certain records to be stored in an incorrect order in the underlying database, customers affected by the issue will need to export the backend data to LDIF and re-import it to have the database rebuilt with the correct ordering.
Fixed an issue with the password modify extended operation and the no-operation control
Fixed DS-47079 PingDirectory
Fixed an issue in which the server could return multiple password validation details response controls in the response to a password modify extended request that included a password validation details request control and did not specify a new password, indicating that the server should generate a new password for the target user.
Also fixed an issue in which the sever would not return the generated new password in the response to a password modify extended request that included a no-operation request control and did not specify a new password.
Fixed a replication issue causing unstable master selection
Fixed DS-47103 PingDirectory
Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.
Fixed an issue causing improper modify request processing
Fixed DS-47170 PingDirectory
Fixed an issue that could prevent the server from properly processing a modify request that contained an update to the ds-pwp-modifiable-state-json
attribute in conjunction with one or more other attributes. If the update to ds-pwp-modifiable-state-json
did not actually result in any changes to the user’s password policy state, then the server could have short-circuited processing for the operation and returned a success result without processing the other modifications targeting other attributes.
Fixed an issue with index name length
Fixed DS-47182 PingDirectory
Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.
Fixed an issue with the password policy state extended operation
Fixed DS-47245 PingDirectory
Fixed an issue that could cause the password policy state extended operation to return misleading results for some requesters. Previously, the server would always retrieve the target user’s entry on an internal connection authorized as the user that requested the external operation, and would use that entry to construct its internal representation of the password policy state. This ensured that the operation would only be allowed if the requester had the necessary permission to retrieve the target user’s entry, but if the requester didn’t have permission to retrieve all of the operational attributes used to represent components of the target user’s password policy state, then the perceived state used for subsequent processing in that operation might not be accurate, which could cause the server to return incorrect information about the user’s account state.
To address this problem, the server first ensures that the requester has the necessary permission to issue the extended request and to access the target user’s entry, but it will then retrieve the entry again on an internal connection that is not subject to access control restrictions. This ensures that it will always get a complete and accurate representation of the user’s password policy state so that it can return the correct information to the requester.
If the operation is used in an attempt to update the target user’s password policy state, then the requester must still have the necessary access control permission to write to the appropriate operational attributes for that request. |
Fixed an issue with the purging of obsolete replicas
Fixed DS-47369 PingDirectory
Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.
Fixed an issue with case insensitivity
Fixed DS-47374 PingDirectory
Fixed an issue where case insensitivity was not correctly handled when working with static topologies.
Support for HashiCorp Vault password storage schemes
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine for password storage schemes. Learn more about KV version 1 in the Vault KV secrets engine documentation.
PingDirectory suite of products 9.2.0.4 (November 2023)
Faster server backup and recovery
Improved DS-45157 PingDirectory
We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.
Fixed an issue with Changelog Password Encryption in replicated environments
Fixed DS-48205 PingDirectory
We fixed an issue where the Changelog Password Encryption plugin wouldn’t work properly in a replicated environment if you changed a password using a Password Modify extended operation. The password change is now propagated to all replicas.
PingDirectory suite of products 9.2.0.3 (September 2023)
Added a new configuration property to the Config File Handler backend
New DS-45254, DS-47110, DS-47401 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added the configuration property insignificant-config-archive-base-dn
to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under the specified base DN(s).
If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration will be added to the configuration archive, but that archived configuration file may be removed after the next configuration change.
By default, this property will apply to the topology registry subtree.
Enhanced the dsreplication enable
command
Improved DS-46902 PingDirectory
The dsreplication enable
command can now add a new server to an existing topology with the same major and minor release version but a newer maintenance level.
Fixed an issue causing a null pointer exception
Fixed DS-45527 PingDataSync
Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.
Fixed an issue allowing search operations to last beyond the time limit
Fixed DS-47585 PingDirectory
Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. Previously, the server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys (for example, when evaluating a range or substring filter component that could match a very large number of entries), the allowed time limit could be exceeded in that portion of the processing.
PingDirectory suite of products 9.2.0.2 (August 2023)
Fixed a security issue
Security DS-47632 PingDirectory
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.
PingDirectory suite of products 9.2.0.1 (May 2023)
Added the cache-duration
property
New DS-47166 PingDirectory
Critical: Added the property cache-duration
to allow optional caching of key managers retrieved by a PKCS11 Key Manager Provider.
Fixed an issue causing missing IntraSync User
operational attributes
Fixed DS-46695 PingDataSync
Fixed an issue that caused missing IntraSync User
operational attributes after running the manage-profile replace-profile
subcommand.
Fixed an issue with changing passwords within minAge
Fixed DS-46882 PingDirectory
Fixed an issue where attempting to change a password that’s within the minAge
now responds with an UNABLE_TO_PERFORM
code rather than INVALID_CREDENTIALS
.
Improved the response time of dsreplication enable
Improved DS-46906 PingDirectory
Improved the response time of the dsreplication enable
command on large topologies with more than 20 servers.
PingDirectory suite of products 9.2.0.0 (December 2022)
Added new access control bind rules and a new access control target
New DS-38367, DS-38368, DS-38369 PingDirectory
-
Added a new "secure" access control bind rule that can be used to make access control decisions based on whether the client is using a secure connection (for example, LDAPS or LDAP with StartTLS) to communicate with the server. Using the bind rule secure="true" indicates that the ACI only applies to requests received over a secure connection, while secure="false" indicates that the ACI only applies to requests received over an insecure connection.
-
Added a new "connectioncriteria" access control bind rule that can be used to make access control decisions based on whether the client connection matches a specified set of connection criteria. The value of the bind rule can be either the name or the full DN of the configuration object that defines the desired connection criteria.
-
Added a new "requestcriteria" access control target that can be used to make access control decisions based on whether the operation request matches a specified set of request criteria. The value of the target can be either the name or the full DN of the configuration object that defines the desired request criteria.
For more information, see ACI bind rules and ACI targets.
Added an audit data security recurring task
New DS-42172 PingDirectory
Added a new "audit data security" recurring task that can be used to regularly examine server data for potential security-related issues. For more information, see Auditing data content.
Added new stats to track operations when using UnboundIDSyncDestination
New DS-44855 PingDataSync
Added new stats to track operations on account state when using an UnboundIDSyncDestination. They can be found on the monitor entry for the sync pipe associated with the destination.
Added support for Java 17
New DS-45766 PingDirectory, PingDirectoryProxy, PingDataSync
The server can now run on Java 17.
PingDataMetrics does not support Java 17. |
Updated Groovy
New DS-45970
Updated Groovy support from Groovy 2.x to Groovy 3.x for Java 17 compatibility. This change might introduce some minor incompatibilities in Groovy script support (for example, it appears that import statements split across multiple lines are no longer allowed), so deployments making use of Groovy-scripted extensions should carefully test these extensions in a temporary standalone instance to verify compatibility and make any necessary changes before updating existing instance.
Added a SCIM 2.0 sync destination
New DS-46108 PingDataSync
Added a SCIM 2.0 sync destination. For more information, see Configuring synchronization to a SCIM 2.0 server.
Added new password storage schemes
New DS-46018 PingDirectory
Added new password storage schemes that provide support for the Argon2i, Argon2d, and Argon2id variants of the Argon2 password hash and proof-of-work function. We previously offered only a single Argon2 password storage scheme (which used Argon2i behind the scenes), but the new schemes make it possible to explicitly indicate which variant should be used for encoding passwords.
For more information about password storage schemes, see Supported password storage schemes.
Added an HTTP servlet extension to support Prometheus
New DS-46593
Added an HTTP servlet extension that allows the values of numeric monitor attributes to be published as metrics in a form that can be consumed by a Prometheus monitoring server. For more information, see Monitoring server metrics with Prometheus.
Fixed issues with data security auditors
Fixed DS-12140, DS-42173, DS-46123, DS-46124, DS-46125, DS-4782, DS-4783, DS-4784, DS-5130 PingDirectory
-
Fixed an issue in which the locked account data security auditor did not include the number of validator-locked entries in the summary generated when completing processing for a backend.
-
Fixed an issue in which the expired password data security auditor could incorrectly report that an entry has an old password even when it has been changed more recently than the configured password evaluation age.
-
Fixed an issue with the weakly encoded password data security auditor that could prevent it from detecting passwords encoded with certain schemes.
-
Updated the weakly encoded password data security auditor so passwords encoded using unsalted SHA-1 digests, salted SHA-1 digests, salted MD5 digests, and the MD5 variant of the CRYPT password storage scheme are now considered weak by default.
-
Updated the Server SDK to add support for creating custom data security auditors.
For more information about data security auditors, see Auditing data content.
Removed support for incremental backups
Fixed DS-44442 PingDirectory
Removed support for incremental backups, which had been deprecated since the 8.3.0.0 release. As an alternative, we recommend using LDIF exports, which are more useful, more portable, and much more compressible than full backups, and they can be taken more frequently than full backups without consuming as much disk space. Further, the extract-data-recovery-log-changes tool can be used in conjunction with either LDIF exports or backups to replay changes recorded in the data recovery log since the time the export or backup was created.
Exploded indexes are no longer created unexpectedly
Fixed DS-44966 PingDirectory
Fixed an issue where exploded indexes were unexpectedly created following an unclean shutdown.
Fixed an issue with dsreplication
Fixed DS-45044 PingDirectory
Fixed an issue with the dsreplication
tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.
The hibernate-validator library in the management console has been updated to version 6.2.1
Fixed DS-45461 PingDirectory
To close a vulnerability found in hibernate-validator 5.4.3 in the management console, we are updating the console to version 6.2.1. This newer version requires use of jakarta-validator 2.0.2 rather than the older javax-validator 1.1.0, therefore we are upgrading directory to use jakarta-validator 2.0.2 to preserve compatibility.
When moving to version 2, javax-validator was moved to jakarta, but still uses the javax namespace, and therefore no code changes need to be made other than dependencies. In the future, if we move to jakarta-validator v3 however, we will need to move to the jakarta namespace.
Fixed an issue causing the replication initialize task to fail
Fixed DS-45567 PingDirectory
Fixed an issue where a replication initialize task that ran longer than the configured connection idle-timeout-limit would cause the initialize to fail.
Resource limits are now set for the topology admin user
Fixed DS-45638 PingDirectory
Fixed an issue where resource limits for the topology admin user created during replication enable were not set.
Fixed an issue with replication enablement
Fixed DS-45960 PingDirectory
Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.
Fixed an issue causing slow response time
Fixed DS-46017 PingDirectory
Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.
Fixed an issue causing sync to slow down
Fixed DS-46119 PingDataSync
Fixed an issue encountered when using PingDataSync with a PingOne Sync Destination that caused sync to slow down significantly after 5 minutes and generate extraneous requests to the sync destination.
Fixed an issue preventing changes to certain password policy state attributes from being applied
Fixed DS-46121 PingDataSync
Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.
Exposed previously hidden properties in the PingDirectoryProxy server
Fixed DS-46129 PingDirectoryProxy
Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request
and maximum-modifications-per-modify-request
properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.
The migrate-ldap-schema
tool now removes incorrect single quotes
Fixed DS-46169 PingDirectory
Modified the migrate-ldap-schema
tool to remove incorrect single-quotes enclosing the attribute type syntax OID in schemas being imported from Microsoft Active Directory.
Users are no longer prevented from changing their own passwords
Fixed DS-46392 PingDirectory,PingDirectoryProxy
Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the Directory Proxy Server.
New servers can now be enabled into a large topology
Fixed DS-46436 PingDirectory
Fixed an issue where new servers could not be enabled into a large topology.
Enhanced the audit-data-security
tool to use new data security auditors
Improved PingDirectory
The audit-data-security
tool is used to identify potential risks or other notable security characteristics contained in directory data. This tool has been enhanced to use new data security auditors defined in the server configuration. The new data security auditors can identify:
-
Accounts with password policy state issues that might currently or soon affect their usability.
-
Accounts with an activation time in the future, an expiration time in the past, or an expiration time in the near future.
-
Accounts with passwords encoded using deprecated password storage schemes.
-
Accounts for users that have not authenticated in longer than a specified length of time.
-
Accounts that are configured to use a nonexistent password policy and are therefore unable to authenticate.
-
Entries that match a specified search filter.
Also, the locked account auditor is now able to identify validation-locked accounts, and the weakly encoded password auditor can now flag passwords encoded with SMD5, SHA, and SSHA, and also the MD5 variant of the CRYPT scheme.
For more information about the audit-data-security
tool, see Auditing data content.
Improved logging with the addition of new features
Improved PingDirectory
Several features have been added to improve logging and the summarize-access-log
tool to provide a better experience for administrators. The summarize-access-log
tool already provided a list of the domain names of the target users for the most common bind failures, but the following metrics have been added to improve the detection of possible security issues:
-
The IP addresses of the clients with the most failed bind attempts (in case a single client is trying to access multiple accounts, as might happen in a credential stuffing attack).
-
The addresses of the users with the most consecutive authentication failures (that is, most failures between successes or most failures without a success).
-
The identification of filters with parentheses, ampersands, pipes, single quotes, and double quotes, which might indicate an unsuccessful LDAP filter injection attempt.
-
The identification of filters with the words "select" and "from", which might indicate an unsuccessful SQL injection attempt.
-
The identification of the most common used and missing privileges.
-
The tracking of the number of components used in filters as an increase in the number of filters with more components, which might suggest a successful injection attempt.
For more information about the summarize-access-log
tool, see Logging Tools
Access control improvements
Improved PingDirectory
PingDirectory provides a number of features to manage control to data within the data store including Access Control Instructions and connection criteria. In this release, the access control handler now provides support for a bind rule that can make it possible to make access control decisions based on whether the client connection is secure or whether the client connection matches a given set of connection criteria or if a target that makes it possible to determine whether the rule applies to a given request based on request criteria.
Updated global configuration
Improved DS-38078 PingDirectory
Updated the global configuration to define configuration properties that can be used to set alternative size limit, time limit, idle time limit, and lookthrough limit values for unauthenticated clients. By default, the server will use the same default limits for both authenticated and unauthenticated clients, but you can now set limits for unauthenticated clients that are different from the default limits imposed for authenticated clients. It is still possible to override these limits on a per-user basis with operational attributes in the user’s entry.
Added support for generating digital signatures with a key obtained from an encryption settings definition
Improved DS-38277
Added support for generating digital signatures with a key obtained from an encryption settings definition. By default, the server’s preferred encryption settings definition will be used to obtain the signing key, but you can use the signing-encryption-settings property in the crypto manager configuration to choose an alternative definition.
Previously, signatures were generated using a legacy key shared among servers in the topology, which could make it difficult to validate signatures outside of the topology. The legacy key will continue to be used in environments without any encryption settings definitions.
Added support for HTTP forward proxy
Improved DS-40345
Updated the server to add HTTP forward proxy support for several server components that might need to establish HTTP and HTTPS connections to external services. Updated components include:
-
The Amazon Key Manager cipher stream provider
-
The Amazon Secrets Manager cipher stream provider
-
The Amazon Secrets Manager passphrase provider
-
The Amazon Secrets Manager password storage scheme
-
The Azure Key Vault cipher stream provider
-
The Azure Key Vault passphrase provider
-
The Azure Key Vault password storage scheme
-
The PingOne pass-through authentication plugin
-
The PingOne sync source and destination
-
The Pwned Passwords password validator
-
The SCIMv1 sync destination
-
The SCIMv2 sync destination
-
The Twilio alert handler
-
The Twilio OTP delivery mechanism
-
The UNBOUNDID-YUBIKEY-OTP SASL mechanism handler
The replication-purge-obsolete-replicas
property is now set to true by default
Improved DS-41467 PingDirectory
The replication-purge-obsolete-replicas
global configuration property is now set to true by default for new and upgraded PingDirectory servers so that obsolete replicas are purged.
The replace-certificate
tool now re-prompts user for path to valid file containing certificates
Improved DS-45968
Updated the replace-certificate
tool’s behavior when running in interactive mode. Previously, when it prompted the user for the path to a file containing one or more certificates to be imported, it would exit with an error if the provided path represented a file that did not contain valid certificate information. It will now re-prompt the user for the path to a valid file after displaying the error message.
Updated replication enable synopsis
Improved DS-46127 PingDirectory
Updated replication enable synopsis to mention that schema initialization is part of the enable process and explain that the order of provided servers is significant for the initialization.
Updated the dsconfig
tool
Improved DS-46313
Updated the dsconfig
tool to ensure that it uses the correct authentication type when applying changes to all servers in a server group. Previously, it would always attempt to use simple authentication, even if the connection to the initial server was authenticated using a different mechanism.
Enhanced the replication server
Improved DS-46332 PingDirectory
The replication server now continues to handle incoming replication connections even when there is an unexpected exception.
Updated Amazon AWS external server configuration
Improved DS-46615
Updated the Amazon AWS external server configuration to provide more control over the method used to authenticate to AWS. Previously, it was only possible to authenticate with an access key or an IAM role. We have added an option to use an IRSA role, and we have also added an option to use a default credentials provider chain that attempts to identify an appropriate authentication method for cases in which the server is running in the AWS environment (for example, EC2 or EKS) based on locally available information like system properties and environment variables.
dsreplication enable
subcommand description differs based on operating system
Issue DS-46127 PingDirectory
There is a known issue with the description of the dsreplication enable
subcommand differing based on the operating system. On MacOS, an updated description is shown:
"Update the configuration of the servers to replicate the data under the specified base DN(s). If one of the two servers is already part of an existing replication topology, then that server must be specified as the first server. This is because the schema of the second server will be updated to match the schema of the first. The configuration of all the servers in the existing topology will also be updated, so it is sufficient to perform this operation once for each new server that is added to the topology. The server-to-server replication communication is always secured with SSL."
But on some operating systems, including Windows and CentOS, the older description is shown that doesn’t mention the schema initialization.
Support for HashiCorp Vault password storage schemes
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine for password storage schemes. Learn more about KV version 1 in the Vault KV secrets engine documentation.
PingDirectory suite of products 9.1.0.4 (November 2023)
Added a configuration property to the Config File Handler backend
New DS-45254, DS-47110, DS-47401 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added the configuration property insignificant-config-archive-base-dn
to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under specified base DNs.
If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration gets added to the configuration archive, but that archived configuration file can be removed after the next configuration change.
By default, this property applies to the topology registry subtree.
Faster server backup and recovery
Improved DS-45157 PingDirectory
We significantly improved the performance of critical disaster recovery operations, reducing both maintenance overhead and downtime, if you need to recover a server. You can now create server backups, restore from a backup, and initialize an online replica in less time.
Enhanced the dsreplication enable
command
Improved DS-46902 PingDirectory
The dsreplication enable
command can now add a new server to an existing topology with the same major and minor release version but a newer maintenance level.
Improved the response time of dsreplication enable
Improved DS-46906 PingDirectory
Improved the response time of the dsreplication enable
command on large topologies with more than 20 servers.
Fixed an issue with the purging of obsolete replicas
Fixed DS-47369 PingDirectory
Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.
Fixed a potential NPE for missing changes in replication
Fixed DS-47289 PingDirectory
Fixed a possible null pointer exception in replication where missing changes were found for a replica, but that replica didn’t exist on all servers. This could have occurred in scenarios where the replica was obsolete and purged concurrent to the check for missing changes.
Fixed an issue with the remove-defunct-server
command
Fixed DS-47784 PingDirectory
Fixed an issue with running remove-defunct-server
against servers configured with an AES256 password storage scheme. In these cases, the encryption settings were not initialized before initializing the password policy components.
Fixed an error with replicated PingDirectory server topologies
Fixed DS-47103 PingDirectory
Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.
Fixed an issue with index name length
Fixed DS-47182 PingDirectory
Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.
Fixed an issue where adding a hotfix server to a topology failed
Fixed DS-46807 PingDirectory
Fixed an issue where dsreplication enable
failed to add a server with a hotfix build to an existing topology with a previous build. The hotfix server would attempt to become topology master immediately, interrupting proper initialization.
Fixed an issue with nondescript logging for manage-profile replace-profile
errors
Fixed DS-46983 PingDirectory
Fixed an issue where errors that occurred during a manage-profile replace-profile
operation would only log Batch command failed
entries.
Batched dsconfig
commands that are executed during manage-profile replace-profile
will now report a detailed cause for the failing command.
PingDirectory suite of products 9.1.0.3 (August 2023)
Fixed a security issue
Security DS-47632 PingDirectory
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory Server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.
PingDirectory suite of products 9.1.0.2 (March 2023)
Fixed an issue with resource limits for the topology admin user
Fixed DS-45638 PingDirectory
Fixed an issue where resource limits for the topology admin user created during replication enable were not set.
Fixed an issue with password policy state attributes
Fixed DS-46121 PingDataSync
Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.
PingDirectory suite of products 9.1.0.1 (November 2022)
Fixed an issue with the dsreplication
tool
Fixed DS-45044 PingDirectory
Fixed an issue with the dsreplication
tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.
Fixed an issue with replication enablement
Fixed DS-45960 PingDirectory
Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.
Fixed an issue with slow response times on PingDirectory servers
Fixed DS-46017 PingDirectory
Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.
Fixed an issue preventing users from changing their passwords
Fixed DS-46392 PingDirectory, PingDirectoryProxy
Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the Directory Proxy Server.
Updated the PingDirectoryProxy server to expose properties in global configuration
Improved DS-46129 PingDirectoryProxy
Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request
and maximum-modifications-per-modify-request
properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.
PingDirectory suite of products 9.1.0.0 (June 2022)
Added support to sanitize access logs to protect sensitive information
New
Log files can contain potentially contain sensitive or identifiable information that you might not necessarily want recorded in the clear. The server can now be configured to support sanitizing access logs as they are being written. It is available for any writer-based or JSON-formatted access log, and elements in the log message can either be sanitized, redacted, or omitted altogether. This includes the ability to genericize diagnostic messages written to the access or error log. For more information, see Log sanitization.
Added support for processing JSON-formatted access logs
New
PingDirectory provides a robust logging system allowing for detailed analysis of the server’s functioning. Included is support for creating log files written using JSON format. The summarize-access-log
command, which is used to display several metrics about operations processed within the server, now supports processing JSON formatted access logs.
Updated Directory REST API
New
The Directory REST API allows developers to create customized application for managing the entries in a directory instance. The Directory REST API now supports controls previously only available through LDAP calls. This includes the ability to do joins allowing for advanced data modeling of relationships.
Added conflict error messages for replicated PingDirectory deployments
New
In deployments with replicating PingDirectory instances, conflicts can occur if the same entry is added to different servers at the same time. Many conflicts can be handled automatically and, in such cases, the server whose add attempt creates a conflict, now returns a CONFLICT
result in the replication response control and LDAP result code.
JSON-formatted access logger updated
Improved DS-44507, DS-45243, DS-45530
Updated the JSON-formatted access logger to include the requester IP address in disconnect, security negotiation, and client certificate log messages when appropriate.
PingDataSync Server supports PingOne as a sync destination
Improved PingDataSync
PingOne recently added support for multi-valued attributes. Now, using PingOne as a sync destination, multi-valued attributes can be synchronized as either a one-time data migration or as part of a continual real-time synchronization strategy.
Synchronize data to custom attributes defined in the PingOne environment
Improved PingDataSync
When using PingOne as a sync destination, PingDataSync Server provides support for synchronizing data to custom attributes that are defined in the PingOne environment. This includes attributes defined as multi-valued or JSON in PingOne.
Repeating cycle when resetting a password
Issue PingDirectory
If your password policy for an admin user (such as a topology administrator or rootDN) is set with |
An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password.
One recommendation to work around this issue is to not set these password policy attributes on administrator accounts that are stored in cn=config
. If you do need --set
force-change-on-reset:true
or --set
force-change-on-add:true
, you must clear the mustChangePassword
flag by running the following command each time you change the password:
$ bin/manage-account set-must-change-password \
--mustChangePassword false \
--targetDN cn=<admin cn>
setup
tool failure because of Bouncy Castle JAR files
Issue
The setup
command might fail on Windows operating systems because of the presence of Bouncy Castle JAR files in the lib
directory that begin with bc
. The JAR files are mentioned in an error message similar to the following: An
unexpected error occurred while attempting to copy the non-FIPS Bouncy
Castle jar file into the server’s classpath: FileSystemException:
lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it
is being used by another process
. A temporary workaround is to delete the JAR files that begin with bc
from the lib
directory before attempting to run setup
again.
Bouncy Castle libraries are not removed from the lib
directory.
Issue DS-46007
If you update an existing installation to the 9.1 release of the server and then subsequently want to revert that update, Bouncy Castle libraries from the 9.1 release might not be properly removed from the lib
directory, resulting in both the older and newer versions of the library being in the lib
directory. This should not cause any problems with the server, but it might result in warning messages in the server’s error log about different versions of the same JAR file in the classpath (for example, The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bc-fips-1.0.2.1.jar, bc-fips-1.0.2.3.jar
and The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bctls-fips-1.0.11.4.jar, bctls-fips-1.0.13.jar
). This message can be safely ignored. You can eliminate this warning by stopping the server and manually removing the newer versions of the jar files referenced in the warning message.
JSON-formatted controls rejected
Issue DS-46016 PingDirectory, PingDirectoryProxy
JSON-formatted join request controls with their criticality set to false
are rejected as if their criticality were true
by non-search requests.
Fixed an issue that prevented the server from refreshing monitor data
Fixed DS-41468
Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced. For information on log sanitization, see Log sanitization.
Fixed the status
tool
Fixed DS-44481
The status
tool now shows the current collect-support-data
version.
Fixed key and trust store PIN issues
Fixed DS-45336
Fixed issues that prevented obtaining key and trust store PINs with the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers.
Updated the server to create the esTokenizer.ping
file if it does not exist
Fixed DS-45449 PingDirectory
Updated the server to create the esTokenizer.ping
file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.
Password policies using virtual attributes are now correctly applied
Fixed DS-45466 PingDirectory
Fixed an issue where password policies specified using a virtual attribute were sometimes not correctly applied to users.
Improved string representations of active operations and persistent searches
Fixed DS-45485 PingDirectory, PingDirectoryProxy
Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the UnboundID LDAP SDK for Java.
The encode-password
tool now works with AES256 password storage
Fixed DS-45546 PingDirectory
Fixed an issue that caused the encode-password
tool to fail when the AES256 password storage scheme is enabled.
Support added for synchronizing custom attributes defined in PingOne destinations
Fixed DS-36184, DS-45125 PingDataSync
Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.
Set a consistent priority index when adding two PingDataSync servers into a new failover topology
Fixed DS-45123 PingDataSync
Updated the manage-topology add-server
command to set a consistent priority index when adding two PingDataSync servers into a new failover topology. The server listed as the remote server in the command-line arguments is given the higher priority index, which results in an overall lower priority compared to the other server.
Updated the sanitize-log
tool
Fixed DS-16236 PingDirectory
Updated the sanitize-log
tool to better align with the server’s support for sanitizing log messages as they are logged. Changes include:
-
It is preconfigured with default behaviors for an expanded set of log fields.
-
It can be configured to suppress the default log field behavior configuration and only explicitly specified configuration.
-
It offers support for additional sanitization options, including omitting fields and differentiating between values should be redacted or tokenized in their entirety or by components.
-
It now uses syntax-aware redaction and tokenization.
-
It offers support for specifying a default behavior to use on a per-syntax basis.
-
It can obtain its settings from a log field behavior definition in the server configuration.
Improved assured replication result codes for conflicts
Improved DS-42302 PingDirectory
Added support for improved assured replication result codes when replication conflicts occur. For processed
assured levels, for each replica that has a replication conflict resulting in an alternate distinguished name (DN) being updated, a CONFLICT
result will be returned. If any such conflicts are detected, a result code of 68 (ENTRY_ALREADY_EXISTS) will be returned.
Fixed password policy state extended operation
Fixed DS-44667 PingDirectory
Fixed an issue in which the password policy state extended operation could be used to create duplicate authentication failure time or grace login use time values.
Added a new Docker command-line tool
Improved DS-45147 PingDirectory, PingDataSync, PingDirectoryProxy
Added a docker-pre-start-config
command-line tool for PingData Docker containers. Use the tool before the server is started to make configuration changes to the server that depend on the running container’s environment.
Added a new argument for manage-profile generate-profile
Improved DS-45163
Added a --excludeSetupArguments
argument for the manage-profile generate-profile
command. Added a --skipValidation
argument for the manage-profile
replace-profile
command. This argument allows skipping the final server validation step when running on an offline server and allows generating a server profile that does not include a setup-arguments.txt file. Updated the setup and replace-profile
subcommands to fail when a server profile includes an encryption-settings-db
file in the profile’s <server-root>/pre-setup/
directory.
Fixed an issue with server privileges
Fixed DS-45250
Directory Server privileges that are assigned through virtual attributes now apply consistently when accessing topology-related features through the administrative console.
Improved protections around the dw-pwp-modifiable-state-json
operational attribute
Improved DS-45255, DS-45504, DS-45505 PingDirectory
Updated the server to protect against attempts to modify the ds-pwp-modifiable-state-json
operational attribute without the Modifiable Password Policy State plugin enabled. The plugin is disabled by default, and the server would previously allow writes to that attribute with the plugin disabled, but those writes would just pollute the entry and have no effect on its password policy state. The server now only allows updates to ds-pwp-modifiable-state-json
if the Modifiable Password Policy State plugin is enabled. Similarly, the server also rejects attempts to add entries that contain the ds-pwp-modifiable-state-json
operational attribute, even with the Modifiable Password Policy State plugin disabled. Writes to this attribute are only supported for modify
operations, and the server would properly reject add
attempts targeting that attribute if the plugin had been enabled but would not reject those attempts if the plugin were disabled.
The server now also prohibits administrators from using the ds-pwp-modifiable-state-json
operational attribute to update their own password policy state, and it prohibits attempts to update ds-pwp-modifiable-state-json
operational attribute in an another user’s entry in the same modify
request that also resets that user’s password. The former restriction prevents certain kinds of changes that could allow an administrator to exempt themselves from certain password policy restrictions while the latter protects against potential conflicts that could arise from two modifications in the same request that attempt to alter a user’s password policy state.
Fixed a backwards compatibility issue with the migrate-ldap-schema
tool
Fixed DS-45322 PingDirectory
A former version of the tool allowed the --useSSL
argument to indicate that SSL should be used to secure communication with both servers, whereas a newer version did not allow that argument but instead required both --sourceUseSSL
and --targetUseSSL
. Similarly, support for the --useStartTLS
argument was inadvertently dropped, requiring both --sourceUseStartTLS
and --targetUseStartTLS
. The legacy arguments have been restored.
Removed two password policies for non-password users
Fixed DS-45439, SF:00741269 PingDirectory
Minimum and maximum age password policies are no longer applied for users without a password.
Updated Kafka version
Security DS-45462
Updated PingDirectory products to use Kafka 2.8.1, which resolves.
Fixed incorrect index skipping
Fixed DS-45470 PingDirectory
Fixed an issue in which the server could incorrectly skip certain indexes when evaluating search criteria. In cases where the server can determine where the results from one index should already be encompassed by results from another index that is already in use for the search, it ignores the redundant index. However, there were cases in which an index would be ignored even if the already-in-use index was not actually suitable for that search (for example, because its index entry limit had been exceeded).
Updated the topology registry and the replace-certificate
tool
Improved DS-45480, DS-45636
Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server’s certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry.
Made the following updates to the replace-certificate
tool:
-
Added new
list-topology-registry-listener-certificates
andlist-topology-registry-inter-server-certificates
subcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry. -
Added a new
add-topology-registry-listener-certificate
subcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it can be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server. -
Updated the
replace-certificate replace-listener-certificate
subcommand to add--topology-registry-update-type
and--trust-store-update-type
arguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options suppressing the update, only adding the listener certificate itself, only adding the listener certificate’s issuers, or adding both the listener certificate and its issuers. -
Updated the
replace-certificate replace-listener-certificate
subcommand to add an--ignore-current-listener-certificate-validity-window
argument that allows the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced.
Fixed an access log reporting issue
Fixed DS-45487 PingDirectory
Fixed an issue where access logs incorrectly reported negative processing times for certain operations.
Added support for JSON-formatted request and response controls
Improved DS-45494 PingDirectory, PingDirectoryProxy
Most existing controls have been updated to support an alternative JSON encoding, which might make it easier to use certain controls in clients written with APIs that do not provide direct support for those controls.
Updated the server Bouncy Castle cryptographic library versions
Security DS-45503
Updated the server to use the latest versions of the FIPS 140-2-compliant and non-FIPS-compliant Bouncy Castle cryptographic libraries.
Added support for generic strings in access and error log messages
Improved DS-45541, DS-45542
Updated the text-formatted and JSON-formatted access and error loggers to provide an option to use generic versions of strings in log messages. If enabled, error messages, additional log info messages, disconnect reasons, and authentication failure reasons will use a string with placeholders instead of context-specific values that could potentially include identifiable or sensitive information.
Updated the local DB backend to disable the index cursor entry limit by default
Improved DS-45564 PingDirectory
This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes.
In the unlikely event that this limit is actually needed in a directory environment, it can still be activated by setting the com.unboundid.directory.server.backends.jeb.AttributeIndex.cursorEntryLimit
system property to the desired value.
Fixed gauge alarm issues
Fixed DS-45578 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed issues where gauges could raise an alarm and create an alert, but not create an alert when that same alarm was later cleared, making it unclear when the reported condition had abated.
Fixed server lockdown issue in newly initialized databases
Fixed DS-45582 PingDirectory
Fixed an issue where a server with a newly initialized database (through dsreplication initialize
) could go into lockdown mode and report that the server …may have missed one or more update(s).
if the source server is in the pre-external-initialize state. This generally occurred only if the initialized server was restarted right after initialization completed.
Updated the export-reversible-passwords
tool
Fixed DS-45600 PingDirectory
Updated the export-reversible-passwords
tool to fix a potential issue in which the tool could encounter a timeout while waiting for the response from the server. Updated the export reversible passwords extended operation handler to provide support for canceling an export that is in progress. If the export-reversible-passwords tool is terminated, or if the associated extended operation is abandoned or canceled, then the export process now stops processing. Previously, it ignored the cancel request and continued processing the export until all entries in the backend had been examined.
Fixed a server operation rejection issue
Fixed DS-45767 PingDirectory
Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It continues to reject the operation if the disallowed control has a criticality of true
, but if the criticality is false
, the server continues processing the operation as if that control had not been requested.
Fixed a replication protocol message issue
Fixed DS-45714, SF:00753519 PingDirectory
Fixed an issue that allowed replication protocol messages to be dropped.
Updated to LDAP SDK version 6.0.5
Fixed DS-45746 PingDirectory
Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality.
Fixed a server issue causing internal errors during monitoring
Fixed DS-45786 PingDirectory
Fixed a PingDirectory server issue that could cause an internal error to be logged while monitoring database statistics for read-only backends.
Fixed a Directory REST API error with mismatched time syntax attribute values
Fixed DS-45788 PingDirectory
Fixed an issue where the Directory REST API returns an HTTP 500 error response when trying to retrieve a System for Cross-domain Identity Management (SCIM) entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ
.
Fixed Proxy server manage-profile replace-profile
errors
Fixed DS-45798 PingDirectoryProxy
In PingDirectoryProxy Server, manage-profile replace-profile
sometimes failed with an error similar to the following:
The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other) ...
This fix ensures that the configuration is loaded before the merge that the error message refers to.
Updated the commons-codec library
Security DS-45898
Updated the commons-codec library to version 1.13.
Delegated Admin 4.10 (June 2022)
Accounts can be directly unlocked
New Delegated Admin
Managing accounts includes the ability to unlock accounts. Previously, the only way to unlock an account was for an administrator to reset the password. Now, Delegated Admin users can directly unlock an account without resetting the password.
The initiate password reset option does not unlock accounts. |
Assign custom names for Members and Nonmembers columns
New Delegated Admin
Managing group membership is a common administrative user task. Resource types can now have custom names assigned for Members and Nonmembers columns. This option is available for the Groups, Users and Generic REST resource types.
Implicit
grant type is no longer recommended
New Delegated Admin
Currently, we are using the Implicit
grant type. However, the Implicit
grant type is no longer recommended for use because it can leak the access tokens. For more information, see https://oauth.net/2/grant-types/implicit/. For new installations of Delegated Admin, the grant type is set to Authorization Code with PKCE.
Upload and display image files and certificates
New Delegated Admin
Customers using Delegated Admin can now upload and display image files and upload certificates for properly configured resource types. Certificates are encoded before being stored.
Name of uploaded file is not displayed
Issue DS-45739 Delegated Admin
When uploading certificates or photos to REST resource types in Delegated Admin, the name of the uploaded file is not displayed. If multiple certificates are uploaded for a user, a number will be assigned based on the order the certificates were uploaded in.
Fixed input validation issue
Fixed DS-45760 Delegated Admin
Fixed a form input validation issue for required integer attributes on a resource type that was preventing users from saving new resources.
Non-members are no longer displayed initially for group’s resource types
Fixed DS-45483 Delegated Admin
Non-members of a group are no longer displayed initially on the edit group membership view for the group resource types.
PingDirectory suite of products 9.0.0.6 (August 2023)
Fixed an issue where the server rejected certain operations
Fixed DS-45767 PingDirectory
Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control’s criticality. It will continue to reject the operation if the disallowed control has a criticality of true, but if the criticality is false, the server will continue processing the operation as if that control had not been requested.
Fixed a security issue
Security DS-47632 PingDirectory
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported versions of the PingDirectory Server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039.
PingDirectory suite of products 9.0.0.5 (April 2023)
PingDirectory suite of products 9.0.0.4 (January 2023)
Fixed an issue preventing the server from refreshing monitor data
Fixed DS-41468
Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced.
Fixed an issue with the dsreplication
tool
Fixed DS-45044 PingDirectory
Fixed an issue with the dsreplication tool where baseDNs and restricted baseDNs were improperly handled as case sensitive.
Fixed an issue with the encode-password
tool
Fixed DS-45546 PingDirectory
Fixed an issue that caused the encode-password tool to fail when the AES256 password storage scheme is enabled.
Fixed an issue with resource limits
Fixed DS-45638 PingDirectory
Fixed an issue where resource limits for the topology admin user created during replication enable were not set.
Fixed an issue causing configurations not to load correctly
Fixed DS-45798 PingDirectoryProxy
In the PingDirectoryProxy server, manage-profile replace-profile
sometimes failed with an error similar to the following: The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other)
. This fix ensures that the configuration is loaded before the merge that the error message refers to.
Fixed an issue causing replication enablement to fail
Fixed DS-45960 PingDirectory
Fixed an issue that caused replication enablement to fail if there is at least one topology-wide administrator with no password.
Fixed an issue with changes to Password Policy State attributes
Fixed DS-46121 PingDataSync
Fixed an issue where changes to certain Password Policy State attributes would not be applied to the correct entry when using a Ping Identity Sync Destination under very specific circumstances.
Fixed an issue preventing users from changing their passwords
Fixed DS-46392 PingDirectory, PingDirectoryProxy
Fixed an issue in which the server could prevent users from changing their own passwords with the password modify extended operation if their account was in a "must change password" state and the request passed through the PingDirectoryProxy server.
The maximum-attributes-per-add-request
and maximum-modifications-per-modify-request
properties are now exposed in the global configuration
Improved DS-46129 PingDirectoryProxy
Updated the PingDirectoryProxy server to expose the maximum-attributes-per-add-request
and maximum-modifications-per-modify-request
properties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.
PingDirectory suite of products 9.0.0.2 (July 2022)
Updated the server to create the esTokenizer.ping
file if it does not exist
Fixed DS-45449 PingDirectory
Updated the server to create the esTokenizer.ping
file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.
Updated the active operations monitor provider
Improved DS-45485 PingDirectory, PingDirectoryProxy
Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the LDAP SDK for Java.
Fixed a Directory REST API error with mismatched time syntax attribute values
Fixed DS-45788 PingDirectory
Fixed an issue where the Directory Rest API returns an HTTP 500 error response when trying to retrieve a SCIM entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ
.
Fixed a SCIM POST request error response issue
Fixed DS-45863 PingDirectory
Resolved an issue where SCIM POST requests that violated a unique attribute constraint received an error response with status 400 (Bad Request) instead of 409 (Conflict).
Fixed a performance issue with large numbers of virtual static groups
Fixed DS-46017 PingDirectory
Resolved an issue with slow response time on PingDirectory servers configured with a large number (10,000 or more) of virtual static groups.
PingDirectory suite of products 9.0.0.1 (March 2022)
Issue with syncing multi-valued JSON attributes to a PingOne destination
Issue PingDataSync
For multi-valued JSON attributes, you should not use JSON attribute mappings when synchronizing data to a PingOne destination. When synchronizing JSON data, you can use a direct attribute mapping if the data at the source server is JSON. If the data at the source server should be assembled into JSON form, you can define a constructed attribute mapping.
Added support for synchronizing data to custom attributes defined in PingOne destinations
Improved DS-36184, DS-45125 PingDataSync
Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.
When defining attribute mappings for a PingOne destination, you can use direct attribute mappings for string to string or JSON to JSON synchronizations. If a string attribute at the source server should be stored as JSON in the PingOne environment, you should define a constructed attribute mapping in PingDataSync.
PingDirectory suite of products 9.0.0.0 (December 2021)
New entry-balancing options
Improved PingDirectory
Entry-balancing is a PingDirectoryProxy Server configuration that allows the entries within a portion of the directory information tree (DIT) to reside on multiple external servers. The entry counter, hash distinguished name (DN) and round-robin placement algorithms can now be configured to exclude backend sets for add
operations allowing for greater control over the use of multiple servers for entry balancing.
You can interact with entries within the data store including LDAP and several REST APIs
Improved PingDirectory
PingDirectory provides several interfaces for interacting with entries within the data store including LDAP and several REST APIs. In this release, the Directory REST API can now return any tagging options that are defined for an attribute. These tagging options are treated as subtypes of the same attribute while not explicitly declared in the schema.
CyberArk Conjur and Azure Key Vaults support added
Improved PingDirectory
In an earlier release, PingDirectory added support for a passphrase provider API to secure administrative passphrases, pins or passwords. This release adds both CyberArk Conjur and Azure Key Vaults to the list of available passphrase and cipher stream providers. Cipher stream providers are used to protect the keys stored in the encryption settings database
OAuth tokens ca be used with the File Servlet
Improved PingDirectory
Because administrators now have the ability to single sign-on (SSO) to the PingDirectory administrative console, the File Servlet used to download files from a server instance can now also use OAuth tokens for authentication along with the basic HTTP authentication method, such as username and password.
Apply your own branding to console elements.
Fixed PingDirectory, PingDirectoryProxy, PingDataSync
The administrative console is one tool you can use to configure and manage PingDirectory servers. In this release, you can now apply your own branding to console elements such as background colors, images and logos, and certain text elements. Sign on, sign out, and configuration pages are included in possible configuration areas. For more information, see the README.txt
file in the console .war
file shipped with PingDirectory.
New --performLocalCleanup
option added to the remove-defunct-server
command
Improved PingDirectory
To improve the defunct server topology cleanup process when your topology is unhealthy, such as during a network outage or disaster recovery, a new option to the remove-defunct-server
command cleans up stale replication metadata before the server is added back into the topology. This new argument, --performLocalCleanup
, allows administrators to easily take a server out of a topology for maintenance or troubleshooting and return the server back to the topology later. For more information on remove-defunct-server
and its options, run bin/remove-defunct-server --help
.
Added support for a pluggable pass-through authentication plugin
Improved PingDirectory
Earlier PingDirectory Server versions support pass-through authentication to remote LDAP servers or to PingOne, which can be useful when migrating data into the Directory Server from another service, or when the Directory Server needs to coexist with another service that is an authoritative source for user passwords. This release adds support for a pluggable pass-through authentication plugin, which makes it possible to pass through simple bind requests to an arbitrary external service using a pass-through authentication handler to manage interaction with that service, and the Server SDK has been updated to allow creating custom pass-through authentication handlers. As with existing pass-through authentication support, this functionality is only available for LDAP simple binds, and it does not support SASL authentication. For more information on this plugin, see Working with pass-through authentication
Added new options to the dsreplication
command to make replication faster
Improved PingDirectory
In multi-server deployments, replication is used to maintain consistency of data and schema between the servers. With larger deployments, attempting to initialize replication for multiple servers can take longer. New options to the dsreplication
command can now speed up this process by initializing replication on multiple servers in parallel. The number of servers can either be the entire set of servers in the deployment, or a subset of servers based on location, or instance name or a specific number. For more information on dsreplication
subcommands, see Summary of the dsreplication Subcommands.
Added a new password storage scheme to provide enhanced security
Improved PingDirectory
Typically, the passwords for administrative users have been stored directly in PingDirectory based on the configured password storage scheme. To provide enhanced security for those administrative accounts that need it, a new password storage scheme has been added that allows for the password to be stored in an external vault. Currently, Amazon AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault are supported.
The config-audit
logs now tracks the originating account information when individual changes are made
Improved PingDirectory
To better manage the configuration of multiple servers in large topologies, PingDirectory uses the config-audit
log file to allow administrators to easily determine, replay or undo configuration changes made to servers. Previously, when modifying topology or cluster configuration, the original requesting account information was not logged. Now, to assist administrators and improve server auditing, the config-audit
logs will track the originating account information that made individual changes. For circumstances where more protection is required, there is a new property that will redact any sensitive attributes that might be written to the log file (instead of the default obfuscation behavior). This includes instances where administrative users change their passwords and affects any other condition where the sensitive attribute might be displayed for informational purposes such as alerts.
PingDataSync can now include Active Directory account state information
Improved PingDataSync
Many customers use PingDataSync Server to either migrate from Active Directory or use Active Directory in conjunction with PingDirectory to manage user accounts. Administrators can now configure PingDataSync to include account state information set in Active Directory specifically lockout time, the last time the password was set and whether or not the account is disabled. This information can now be properly set within PingDirectory based on the information set in the account in Active Directory.
Entry balancing and global index
Issue PingDirectoryProxy
If the DirectoryProxy Server is configured to use entry balancing and cannot use the global index to determine which backend sets should be used to process an operation, it broadcasts the request to all backend sets, and it will examine the results obtained from each of the backend sets to determine which is the best one to return to the client.
In previous releases, the server always preferred a success result over a non-success result, but if the operation failed in all backend sets, then the DirectoryProxy Server could have selected a result from a backend server in which the target entry didn’t exist (for example, with a noSuchObject
result code) rather than from one in which the entry did exist but the operation failed for some other reason. The 9.0.0.0-EA release addresses this by examining the result codes for all broadcast operations and prioritizing failure results indicating that the target entry exists in the associated backend set over those that do not.
There are still known cases, however, in which the DirectoryProxy Server might select a less appropriate result to return to the client. For example, if a bind
operation fails, the backend server is likely to return an invalidCredentials
result regardless of whether the target user entry exists in that backend set. If the bind
attempt fails in one backend set because the target user exists but their account is in a state that doesn’t allow it to authenticate (for example, if their password is expired or their account is locked), then the bind
response from that server might include response controls that would be useful to return to the client, but the 9.0.0.0-EA release might not choose that response as the one to return to the client. This will be addressed in the 9.0.0.0 GA release later this year.
Fixed an issue where secret keys under cn=Topology
,cn=config
could be lost when removing a server from the topology
Fixed PingDirectory, PingDataSync
When a server is removed with the dsreplication
disable
or remove-defunct-server
tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.
Fixed lost access to keys used for reversible password encryption when removing servers from the topology
Fixed DS-44591 PingDirectory
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, before this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Because this change only applies to the most recent version of |
Fixed Directory REST API
Fixed DS-37117 PingDirectory
Fixed an issue where the Directory REST API encountered internal server errors while processing entries whose attributes have LDAP tagging options.
Added LDAP pass-through authentication handler
Fixed DS-38498, DS-38621 PingDirectory
An LDAP pass-through authentication handler has also been provided, which allows the new plugin to be used as an alternative to the existing LDAP-specific pass-through authentication plugin. The new implementation provides additional functionality not available in the previous plugin, including the ability to indicate whether pass-through authentication should be allowed for accounts that are locked or have expired passwords and the ability to set timeouts that will be used when interacting with external LDAP servers. It also has improved default settings and offers better diagnostic information about its processing.
Added authentication support for passwords stored in several services
Fixed DS-40671 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added support for password storage schemes that allow users to authenticate with passwords stored in the Amazon AWS Secrets Manager service, the Microsoft Azure Key Vault service, a CyberArk Conjur instance, or a HashiCorp Vault instance.
The dsreplication initialize-all
command now initializes multiple target servers in parallel when the --parallel
option is used
Fixed DS-40796 PingDirectory
To enhance initialization performance, the dsreplication
initialize-all
command now initializes multiple target servers in parallel when the --parallel
option is used (subject to the --parallelLimit
option). The --sameLocationOnly
and --destinationInstanceName
options can be used to limit the destinations that are initialized.
Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig
representation for a configuration change
Fixed DS-40926 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig
representation for a configuration change, which could be included in the server’s configuration audit log or administrative alerts whenever a configuration change is applied. By default, the values of configuration properties that are defined as sensitive will be obscured rather than redacted, which allows the change to be replayed without revealing the actual value of the property. However, it is now possible to redact such values rather than obscuring them, which provides stronger protection against exposing those values, but could interfere with the ability to replay the configuration audit log if it contains changes involving sensitive properties.
Added sorting to the Name and Category columns of the monitor table
Fixed DS-42752 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added sorting functionality to the Name and Category columns of the monitor table in the administrative console.
Added replica-partial-backlog
attribute to replication summary monitor
Fixed DS-42961 PingDirectory
To help with replication backlog analysis, the replication summary monitor now includes a replica-partial-backlog
attribute that shows how each origin replica contributes partial backlog with the per-origin-replication-backlog
property. The replica-partial-backlog
attribute also shows the change numbers used for the calculation.
Updated the server to record the original requester distinguished name (DN) and IP address
Fixed DS-43056 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Updated the server to record the original requester distinguished name (DN) and IP address in access log and config audit log messages for mirrored configuration changes.
Fixed issues related to server handing of controls in search requests
Fixed DS-43582 PingDirectory, PingDirectoryProxy
Fixed a couple of issues in which the server might not properly handle other controls included in a search request containing a join request control. For search operations passing through the Directory Proxy Server, other response controls could have been inadvertently stripped from search result entries when adding the join result control. Further, if a search request included a join request control in conjunction with one or more other controls, the request control immediately following the join request control might not have been properly handled.
Added support for obtaining secrets from CyberArk Conjur
Fixed DS-43917 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
The Conjur cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Conjur passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service. The server can authenticate to Conjur using a username and a password or an API key.
Added support for obtaining secrets from Azure Key Vault
Fixed DS-43918 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSYnc
The Azure Key Vault cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Azure Key Vault passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service.
New global configuration properties to impose limits on the maximum number of attributes that can be present in an add request and the maximum number of modifications in a modify request
Fixed DS-43959, DS-44924 PingDirectory
These can be used to avoid potential denial of service attacks. Both limits are set to 1000 by default, which is likely to be adequate for all legitimate use cases, and neither property affects the number of values that can be provided for an attribute.
Fixed proxied authorization issue
Fixed DS-44081 PingDirectory
Addressed an issue where proxied authorization would fail in rare cases for usernames with 57 or 58 characters and DNs with 108 or 109 characters.
Fixed manage-profile replace-profile
keystore files issue
Fixed DS-44280, DS-45027, DS-45037 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where manage-profile
replace-profile
did not correctly handle keystore files with a .bcfks
extension while in FIPS-140-2-compliant mode.
Fixed View API Commands issue
Fixed DS-44329 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Resolved an issue where the View API Commands link appeared to be disabled in the administrative console.
Fixed silent replication failure
Fixed DS-44454 PingDirectory
Fixed an issue where non-DN modifications associated with a moddn
change would silently fail to replicate.
Added new --performLocalCleanup
argument to remove-defunct-server
Fixed DS-44495 PingDirectory
Added a new argument, --performLocalCleanup
, to remove-defunct-server
that simplifies the replication artifact cleanup process. To clean up replication artifacts on earlier releases of the Directory Server, run remove-defunct-server
with no bind arguments while the server is offline.
Added a PKCS #11 cipher stream provider
Fixed DS-44519 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added a PKCS #11 cipher stream provider that can require access to a certificate in a PKCS #11 token to unlock the server’s encryption settings database. Only certificates with RSA key pairs can be used because Java virtual machines (JVMs) do not currently provide adequate key wrapping support for elliptic curve key pairs.
Server instances can now be safely mirrored to older servers in mixed-version topologies
Fixed DS-44577 PingDirectory
Server instances, which are within a mirrored subtree, can now be safely mirrored to older servers in mixed version topologies. This is done by adding the following to server instances: objectclass: extensibleObject.
Fixed an issue where secret keys under cn=Topology
,cn=config
could be lost when removing a server from the topology
Fixed DS-44591 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
When a server is removed with the dsreplication disable
or remove-defunct-server
tools, its secret keys are now distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, before this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Because this change only applies to the most recent version of |
Added PingData Administrative Console configuration capability
Fixed DS-44595 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
The PingData Administrative Console can now be configured to supply PINs to its trust stores through the oidc-trust-store-pin-passphrase-provider
and trust-store-pin-passphrase-provider
settings. This means trust store types that require passphrases (ex: PKCS12 or BCFKS) are now properly supported.
The PingData Administrative Console can now retrieve files created from collect-support-data
or server-profile
tasks
Fixed DS-44601 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
The PingData Administrative Console can now retrieve files created from collect-support-data
or server-profile
tasks when using single sign-on (SSO) to authenticate with the managed server.
Updated the file servlet
Fixed DS-44602 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Updated the file servlet to add support for token-based authentication using an OAuth 2.0 access token or an OpenID Connect ID token. The servlet previously only supported basic authentication.
Improved includePath
argument validation performed by the manage-profile generate-profile
tool
Fixed DS-44604 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
The tool will only use relative paths that exist below the server root, and it previously silently ignored absolute paths or relative paths that referenced files outside of the server root. It will now exit with an error if the includePath
argument is used to provide an absolute path or a path outside the server root. It will accept but warn about paths that reference files that do not exist.
Fixed an issue that caused an internal root account to be subject to the server’s default password policy
Fixed DS-44623 PingDirectory, PingDirectoryProxy
Fixed an issue that caused an internal root account (used for processing certain types of internal operations) to be subject to the server’s default password policy. With some password policy configurations, if a DirectoryProxy Server attempted to perform an internal operation that targeted data in a backend Directory Server, that operation could have been incorrectly rejected.
Fixed symmetric keys issue
Fixed DS-44648 PingDirectory
Addressed an issue where symmetric keys were not being sanitized in the config-audit.log
.
Updated the export-ldif
tool
Fixed DS-44669 PingDirectory
Updated the export-ldif
tool to always base64 encode values with any ASCII control characters. The LDIF specification in RFC 2849 only requires base64 encoding for the NUL, LF, and CR control characters, and those are the only control characters that were previously base64 encoded. However, the specification also permits base64 encoding for any type of character, and always base64 encoding all control characters is safer and reduces the chance for errors when working with values containing such characters.
Made several improvements to the ldap-diff
tool
Fixed DS-44757 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
-
Added the ability to perform a byte-for-byte comparison of attribute values rather than using schema-based logical equivalence.
-
Added the ability to use a properties file to obtain default values for command-line arguments.
-
Improved the ability to use different TLS-related settings for the source and target servers.
-
Improved support for SASL authentication.
Updated the migrate-ldap-schema
tool
Fixed DS-44758 PingDirectory
Updated the migrate-ldap-schema
tool to provide more flexibility for TLS negotiation, support for SASL authentication, support for using a properties file, and better validation for migrated attribute type and object class definitions.
Fixed a remove-defunct-server
issue
Fixed DS-44793 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Fixed an issue in which remove-defunct-server
would remove attributes from config.ldif
if they were identical apart from case.
Improved performance for modify operations
Fixed DS-44884 PingDirectory
Improved performance for modify operations that need to insert an entry ID into the middle of a very large composite index ID set.
Addressed a connection error in remove-defunct-server
Fixed DS-44892 PingDirectory
Addressed a connection error in remove-defunct-server
when the tool tried to migrate secret keys on a single-instance topology (in other words, a server that is not part of a replication topology). The tool now only moves secret keys if the server is part of a topology.
Fixed an error when backing up an encrypted backend
Fixed DS-44904 PingDirectory
Fixed a race condition that could sporadically cause an error when backing up an encrypted backend.
Addressed an issue where simple binds on entries
Fixed DS-44931 PingDirectory
Addressed an issue where simple binds on entries without passwords would not update the relevant password policy attributes, such as ds-pwp-auth-failure
.
Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites
Fixed DS-44940 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites that will be used for outbound connections, as well as properties for controlling whether to enable TLS cipher suites that rely on the SHA-1 digest algorithm or the RSA key exchange algorithm.
Fixed an issue in which the server might not use appropriate resource limit values
Fixed DS-44942 PingDirectory, PingDirectoryProxy
Fixed an issue in which the server might not use appropriate resource limit values for accounts that bind with pass-through authentication. In such cases, the server might apply size limit, time limit, idle time limit, and other constraints from the global configuration instead of alternative values for those limits set in the user entry.
Fixed server hang issues
Fixed DS-45032 PingDirectory
-
Addressed an issue that caused
remove-defunct-server
to hang. -
Addressed an issue that caused
remove-defunct-server
to hang when performing replication artifact cleanup in non-interactive mode.
For the initilaze-all
dsreplication
subcommand avoid closing connections to remote servers multiple times
Fixed DS-45038 PingDirectory
For the initilaze-all
dsreplication
subcommand avoid closing connections to remote servers multiple times in order to apply the new generation ID.
Added support for Eclipse Foundation JDKs
Fixed DS-45039 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added support for the use of Java Development Kits (JDKs) obtained through Eclipse Foundation.
Fixed an issue where explicit createTimestamp
values are replicated to peer servers
Fixed DS-45056 PingDirectory
Fixed an issue where explicit createTimestamp
values are replicated to peer servers using a default timestamp format rather than the non-default format value stored on the first server.
Updated the mirror virtual attribute provider to include an option to bypass access control evaluation for the internal searches that it performs
Fixed DS-45060 PingDirectory
This might allow the virtual attribute to provide values from another entry even if the requester would not otherwise have permission to access those values.
Fixed a Ping Directory Server performance issue involving high CPU usage
Fixed DS-45115 PingDirectory
Fixed a Ping Directory Server performance issue involving high CPU usage when writing LDAP data to certain clients using TLSv1.3 connection security.
Removed -XX:RefDiscoveryPolicy=1
from the default start-server
Java arguments
Fixed DS-45124 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
In rare cases, this argument was related to segmentation faults in the JVM, especially when used with the G1 garbage collector.
Fixed a composed attribute plugin issue
Fixed DS-45153 PingDirectory
Fixed an issue that prevented the composed attribute plugin from working for operations that are part of a multi-update request.
Fixed an issue where a server with a newly initialized database could go into lockdown mode
Fixed DS-45154 PingDirectory
Fixed an issue where a server with a newly initialized database (through dsreplication initialize
) could go into lockdown mode and report that the server might have missed one or more updates. This generally occurred only if the initialized server was restarted right after initialization completed.
Changed default tab in the administrative console
Fixed DS-45160 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Changed the default tab in the administrative console to Modify when updating an existing server resource with new changes
Added support for new extended operations
Fixed DS-45162 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added support for new extended operations to help manage the server’s listener and inter-server certificates. Updated the replace-certificate
tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.
Added support for BellSoft JDKS
Fixed DS-45190 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added support for the use of JDKs obtained through BellSoft.
Improved performance of server encryption
Fixed DS-45203 PingDirectory
Resolved a performance issue that could cause servers installed using a server encryption option to spend several minutes waiting in the Initializing Crypto Manager
phase during server startup.
Added a scroll bar to the administrative console’s Server list
Fixed DS-45284 PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
Added a scroll bar to the administrative console’s Server list to ensure all servers are accessible regardless of screen size.
Updated the entry counter, hash DN, and round robin placement algorithms
Fixed DS-44678 PingDirectoryProxy
Updated the entry counter, hash DN, and round robin placement algorithms to make it possible to exclude specified backend sets from consideration when adding new entries to an entry-balanced topology.
Improved server logic
Fixed DS-44798 PingDirectoryProxy
Improved the logic the server uses to select the best result to return to the client when an operation fails in an entry-balanced topology after the request was broadcast to all backend sets. In some cases, the server could have incorrectly returned a result from a backend set in which the target entry did not exist instead of a more appropriate result from the backend set that did contain the entry.
Fixed dashboard icon issue
Fixed DS-44224 PingDataMetrics
Addressed an issue where icons on the dashboards were not properly displayed.
Synchronize from Active Directory attribute lockoutTime
source systems to PingDirectory attribute pwdAccountLockedTime
Fixed DS-44513 PingDataSync
Because pwdAccountLockedTime
cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdAccountLockedTimeFromAD
to pwdAccountLockedTime
.
Added direct attribute mapping that maps from ds-pwp-account-disabled-from-ad
to ds-pwp-account-disabled
Fixed DS-44636 PingDataSync
Synchronize from Active Directory userAccountControl
bit indicating that the account is disabled (bit #2) (or msDS-UserAccountDisabled
on AD-LDS) to PingDirectory attribute ds-pwp-account-disable
. Because ds-pwp-account-disabled
cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from ds-pwp-account-disabled-from-ad
to ds-pwp-account-disabled
.
Added direct attribute mapping that maps from pwdChangedTimeFromAD
to pwdChangedTime
Fixed DS-44660 PingDataSync
Synchronize from Active Directory attribute pwdLastSet
with the password changed time to PingDirectory attribute pwdChangedTime
. Because pwdChangedTime
can not be written to directly an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdChangedTimeFromAD
to pwdChangedTime
.
Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes
Fixed DS-44922 PingDataSync
Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes with the same base name but with different option tags, and any of these attributes having more values in the source entry than the replace-all-attr-values-limit
for the Sync
class.
Delegated Admin 4.9 (March 2022)
Managing accounts now includes the ability to unlock accounts
Improved Delegated Admin
Previously, the only way to unlock an account was for an administrator to reset the password. Now, delegated administrative users can directly unlock an account without resetting the password. For more information, see Unlocking user accounts.
The initiate password reset option does not unlock accounts. |
Resource types can now have custom names assigned for Members and Nonmembers columns
Improved Delegated Admin
This option is available for the Groups, Users, and Generic rest resource types.
For more information, see Manage groups.
The grant type is now set to Authorization Code with PKCE
Improved Delegated Admin
Earlier versions of Delegated Admin have used the Implicit grant type as the default OpenID Connect (OIDC) grant type. Because the Implicit grant type can leak access tokens, it is no longer recommended for use. In new installations of Delegated Admin, the grant type is set to Authorization Code with PKCE. To change your default OIDC grant type to Authorization Code with PKCE in existing installations of Delegated Admin, see Changing the default OIDC grant type.
For more information on the Implicit grant type, see OAuth 2.0 Implicit Grant.
dadmin-account-locked
is not available for filtering
Issue Delegated Admin
Because the account locked state, dadmin-account-locked
, is not a true attribute, it is not available for filtering in reporting.
No resources displayed for a correlated resource type
Issue Delegated Admin
If a resource is linked to more correlated resources than the correlated resource type’s search limit, then no resources will be displayed for that correlated resource type. To view the resources for that correlated resource type, increase the correlated resource type’s search limit.
Fixed error message issue
Fixed DS-40723 Delegated Admin
Fixed an issue where an error message was not displayed when password generation was unsuccessful.
Fixed multi-valued attribute deletion error
Fixed DS-45075 Delegated Admin
Fixed an issue that prevented the first value in a multi-valued attribute from being deleted.
Updated the warning banner for configuration errors
Fixed DS-45079 Delegated Admin
Updated the warning banner for configuration errors to only display for the first 10 seconds after signing in to Delegated Admin.