PingDirectory suite of products 10.1.0.0 (June 2024)

Security DS-48028 PingDirectoryProxy

Fixed an issue that could have allowed clients attempting to authenticate through the PingDirectoryProxy server to obtain more information in the bind response than would have been allowed if the request had been sent directly to a PingDirectory server.

New DS-18120 PingDirectory

Added the ability to use presence components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing presence attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern. Learn more about Composite index filter patterns.

New DS-18120 PingDirectory

Added the ability to use equality components with static values in composite index filter patterns, which can be useful in cases where you want to index specific attribute values that are present in a large number of entries. The index filter pattern can either be a simple static equality component, an AND filter with multiple static equality components, or an AND filter with static equality components combined with other supported filter pattern components.

New DS-48631 PingDirectory

Added the ability to use approximate matching components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing approximate matching attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern.

New DS-48630 PingDirectory

Added support for several collation matching rules, which allow clients to use extensible match filters to better search for entries with non-English values. Learn more about Localization of searches with collation matching.

New DS-48752 PingDirectory

Added a tool to repair broken listener certificate trust in replicated topologies. To reduce troubleshooting and speed up the repair of broken subtree mirroring in a replicated topology where listener certificates have fallen out of trust, you can use the repair-topology-listener-certificates tool. Learn more about Repairing broken listener certificate trust in replication.

New DS-47930 PingDirectory, PingDirectoryProxy

Added the compare-ldap-schemas tool to identify differences between the schemas of two LDAP servers.

New DS-47316 PingDirectory

Added the subtree-modify-dn-size-limit configuration property for local DB backends. By default, the server now rejects modify DN operations in which the target entry has more than 100 subordinate entries, which can help protect against inadvertent and potentially expensive subtree moves or renames.

With this property, subtree modify DN operations can be completely disabled, limited to subtrees of a specified maximum size, or allowed for subtrees of any size.

New DS-48614 PingDirectory

Added the include-connection-details-in-request-messages property to allow you to add details about client connections in request-type access log messages. The property is disabled by default. Learn more about Adding connection information to request-type log messages.

New DS-48581 PingDirectory, PingDirectoryProxy, PingDataSync

Added the ability to exclude specific error log messages to help simplify server administration. You can configure several criteria to determine which messages to exclude. Learn more about Excluding specific log messages.

New DS-47286 PingDirectory

Added support for boolean attributes in Prometheus monitor metrics. These metrics can be used for monitor attributes that have values such as true, false, enabled, disabled, yes, no, on, off, 1, or 0. The server sends a gauge metric to Prometheus with a value of 1 or 0 to represent these values. Learn more about Customizing published metrics.

New DS-48216 PingDataSync

Added the sensitive-kafka-producer-property configuration object to enable you to obscure sensitive producer property values, such as keys or passwords. Learn more about Obscuring sensitive producer property values.

New DS-48514 PingDirectory

For environments that require specific key wrapping transformations, we added the ability to use dsconfig to update the key-wrapping-transformation property for PingDirectory PKCS11 cipher stream providers.

New DS-48662 PingDirectory, PingDirectoryProxy

Added support for an extended operation to verify passwords, which can be used to determine whether a specified password is correct for a given user without performing any other password policy processing. Support for this operation is disabled by default. Learn more about The verify password extended operation.

Improved DS-47933 PingDataSync

Increased the consistency of enterprise-wide user statuses by adding support for synchronizing account lock status events from a PingOne source. Learn more about Synchronizing PingOne account status with PingDirectory.

Improved DS-48530 PingDirectory

Added a configuration property that enables you to cache the candidate set for indexed search requests that include the simple paged results request control. By default, the server recomputes the candidate set for each page of results retrieved from the server. With caching enabled, the server can reuse the same candidate set across all pages without needing to recompute it each time.

Learn more about optimizing paged searches using caching.

Improved DS-48672 PingDirectory

Reduced the performance impact of the background cleanup processing that occurs when an exploded index key exceeds the index entry limit.

Previously, performance of other write operations had been substantially degraded while the cleanup was in progress and, under certain circumstances, could have caused the server to appear unresponsive. Now, the background cleanup processing might take significantly longer but has much less impact on other operations while that cleanup is in progress.

Improved DS-48075 PingDirectory

Updated the server to allow it to start returning matching entries more quickly and with reduced memory consumption when processing a search request that can be perfectly satisfied by a single composite index key.

Improved DS-48869 PingDirectory, PingDirectoryProxy, PingDataSync

Changed the default behavior of the interactive setup to not prime the database by preloading its contents.

Improved DS-48827 PingDirectory

Increased write throughput and significantly reduced response time outliers in backend DB environments.

Improved DS-48875 PingDirectory, PingDirectoryProxy, PingDataSync

Changed the configuration archive to retain a maximum of 100 previous configurations by default to alleviate the performance impact of large archives.

Improved DS-48670, DS-5357 PingDirectory

Updated the server to raise an alert or log a warning message when attribute index entry limits are set too high and to recommend the use of composite indexes instead. High index entry limits can lead to performance issues for attribute indexes, and composite indexes offer much better performance and scalability for index keys that match a large number of entries.

Improved DS-44929 PingDirectory

Reduced the amount of memory needed to cache information about dynamic groups.

Improved DS-48603 PingDirectory

Updated the import-ldif tool to add an --ignoreDuplicateAttributeValues argument. By default, the tool rejects any entries that contain duplicate values within the same attribute, but this new argument causes it to behave as if each value had only been provided once.

Improved DS-48516 PingDirectory

Added the evaluate-target-attribute-rights-for-add-operations configuration property to the access control handler to correct a behavior where the bind user required an allow add ACI for only one attribute of an entry to add the entry.

With this property enabled, the bind user must have an allow add ACI for all attributes of an entry to add the entry. To avoid changing existing functionality, evaluate-target-attribute-rights-for-add-operations is disabled by default. Learn more about Changing the allow add ACI behavior for entries.

Improved DS-48826 PingDirectory

Increased throughput for replicated operations.

Improved DS-48343 PingDirectory

Made schema replication more efficient by not sending, and by not applying, update messages that don’t need to be applied. This is done by calculating the generation ID correctly, setting replication operational attributes in the schema backend, and by noting the changes most recently applied in the replicationChanges backend.

Improved DS-48800 PingDirectory

Improve obsolete replica logic so that replication more accurately determines if a replica is obsolete.

Improved DS-48552 PingDirectoryProxy

Made the server health check for the replication backlog more efficient.

Improved DS-48058 PingDirectory

To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.

Improved DS-45172 PingDirectory

Used caching to speed up the Database Environment monitor entry retrieval of the percentage of undeletable database files.

Improved DS-48022 PingDirectory

Updated the export-reversible-passwords tool to allow you to specify base DNs for entries to include in or exclude from the export.

Improved DS-17945, DS-48793 PingDataSync

Made it easier to install and upgrade the Password Sync Agent by clarifying and expanding the documentation.

Improved DS-48239 PingDirectory, PingDirectoryProxy, PingDataSync

Added debug logging support to a number of command-line tools. Use the --help-debug argument to see the relevant arguments.

Improved DS-48724 PingDirectory

Added a timeout feature that automatically terminates the execution of a long-running command or script initiated by the exec alert handler. The command-timeout attribute controls the time limit and has a default value of 1 hour. To disable this timeout, you can change the command-timeout value to 0 s. Learn more about Changing the timeout for an exec alert handler.

Improved DS-48856 PingDirectory, PingDirectoryProxy, PingDataSync

Made a configuration change to have the expensive operations access logger enabled by default. Any operations that take at least one second to complete will be logged to the logs/expensive-ops file.

Improved DS-48893 PingDirectory

Added the always-reinitialize-cached-cipher-instances configuration property to specify whether ciphers retrieved from an internal cache should always be re-initialized using Cipher.init() before re-use, or whether re-initialization can be skipped if the cipher has not been used to encrypt or decrypt data since a previous call to Cipher.init() or Cipher.doFinal().

This new property defaults to true, unless the server is running in FIPS 140-2-compliant mode. Skipping unnecessary re-initialization of cached ciphers results in greatly improved performance for implementations such as BCFIPS AES/CBC/PKCs5Padding.

Fixed DS-46808 PingDirectory, PingDirectoryProxy

Fixed an issue where PingDirectoryProxy could have returned an inconsistent number of entries for paged search requests. Now, to ensure consistency in the returned entries, PingDirectoryProxy sends each paged search request to one server.

Fixed DS-48300 PingDirectory, PingDataSync

Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.

Fixed DS-48669 PingDataSync

Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only resulted in changed attributes not being properly synced over.

Fixed DS-48026 PingDirectory

Fixed an issue that could have prevented the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch or relativeTimeExtensibleMatch matching rules.

Fixed DS-48678, DS-48720 PingDirectory

Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID values for the same entry on different servers.

Fixed DS-48585 PingDirectory

Fixed an issue where replace operations that targeted attributes with subordinate types would cause the subordinate attribute values to be duplicated.

Fixed DS-48311 PingDirectory

Fixed an issue where disabling replication with a missing hostname sometimes caused dsreplication status to fail with an Invalid host error.

Fixed DS-45783 PingDirectory, PingDirectoryProxy, PingDataSync

Resolved an issue where running the manage-profile replace-profile command could cause dsconfig changes to be made out of order.

Fixed DS-46533 PingDirectory

Fixed an issue where the Strong Encryption Not Available Gauge had a value of INDETERMINATE and showed an alarm, even when the JVM supported strong encryption. Also changed the name of this gauge to Strong Encryption Available to avoid confusion in the event of an alarm being raised.

Fixed DS-48358 PingDataSync

Fixed an issue where the PSA could update incorrect entries upon a password change if there were users with the same sAMAccountName in a forest.

Fixed DS-48491 PingDirectory

Fixed an issue that could prevent a modify request from adding real attribute values to a replicated entry that already had one or more virtual values for that attribute.

Fixed DS-48723 PingDirectory

Fixed an issue where an untrusted composite index would prevent entries matching that index from being added or modified if a debug log publisher was enabled for the composite index.

Fixed DS-48774 PingDirectory, PingDirectoryProxy

Removed a stack trace from the error message returned when generating a Delegated Admin report with an invalid SCIM filter.

Fixed DS-48796 PingDirectory

Fixed an NPE error that could occur when running the dsreplication enable command in interactive mode.

Fixed DS-48834 PingDirectory

Resolved an issue where installing the PingDirectory server in FIPS-compliant mode would sometimes fail with an error stating that a configuration file entry had the same DN as another entry already read from that file.

Fixed DS-48897 PingDirectory

Fixed a rare issue where the server could have experienced an IllegalArgumentException on startup due to a negative sleep value when one or more replication servers wasn’t online.

Issue DS-49305 PingDirectory

Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine. Learn more about KV version 1 in the Vault KV secrets engine documentation.