Release Notes
Unless otherwise noted, all of the following enhancements, known issues, and resolved issues apply to the PingDirectory server, the PingDirectoryProxy server, and the PingDataSync server.
PingDirectory suite of products 10.2.0.0 (December 2024)
Basic authentication notice for the REST API
Security PingDirectory, PingDirectoryProxy
Basic authentication is currently enabled by default for the PingDirectory REST API. To improve PingDirectory’s security, basic authentication will be deprecated and disabled by default in a future release.
Learn more about disabling basic authentication in Managing the Directory REST API.
Fixed a potential basic authentication vulnerability for the REST API
Security DS-49261 PingDirectory, PingDirectoryProxy
Fixed a potential user enumeration vulnerability when using the Directory Rest API with basic authentication.
Support for Java 11 has been deprecated
Info PingDirectory, PingDirectoryProxy, PingDataSync
Support for Java 11 has been deprecated and will be removed in a future release.
Support for SCIM 1.1 has been deprecated
Info PingDirectory, PingDirectoryProxy
Support for SCIM 1.1 has been deprecated and will be removed in a future release.
Support for SNMP has been deprecated
Info PingDirectory, PingDirectoryProxy, PingDataSync
Support for SNMP has been deprecated and will be removed in a future release.
Some Java properties set automatically for Java 21 support
Info DS-49414 PingDirectory, PingDirectoryProxy, PingDataSync
To help enable runtime support of Java 21, the import-ldif
and rebuild-index
tools now automatically set the java.security.manager
property to allow
in the following places that affect those tools:
-
The following properties in
config/java.properties
:-
start-server.java-args
-
import-ldif.offline.java-args
-
rebuild-index.offline.java-args
-
-
Programatically, when
setup
invokesimport-ldif
This property change allows these tools to use the backend database
DbCacheSize
utility by preventing that utility from exiting.
Custom SDK extensions using Javax will need to be migrated and recompiled in 10.3
Info PingDirectory, PingDirectoryProxy, PingDataSync
Several components will be upgraded in version 10.3 of the PingDirectory suite of products. If any of your custom Server SDK extensions have classes that import javax.*
packages, you will need to migrate them to the equivalent jakarta.*
packages and then recompile the extensions.
SCIM 2 SDK version compatibility for custom extensions
Info PingDirectory, PingDirectoryProxy
For custom SCIM 2.0 extensions that use the UnboundID SCIM 2 SDK with objects under the Javax namespace (for example, javax.ws.rs.client.WebTarget
or javax.ws.rs.core.MediaType
), you must use version 2.4.0 of the SDK.
Starting with version 3.0.0, the SDK uses objects under the Jakarta namespace (such as jakarta.ws.rs.client.WebTarget
), which aren’t compatible with PingDirectory 10.2.0.0 or earlier.
If your SCIM 2.0 extension doesn’t use objects with Javax namespaces, you can use later versions of the UnboundID SCIM 2 SDK. |
Added runtime support for Java 21
New DS-48833, DS-49193 PingDirectory, PingDirectoryProxy, PingDataSync
Added JRE support for Oracle JDK 21 and OpenJDK 21.
Added support for Generational ZGC garbage collection
New DS-49408 PingDirectory, PingDirectoryProxy, PingDataSync
Added support for Generational ZGC garbage collection on servers running Java 21. Learn more in JVM garbage collection using ZGC.
Added support for FIPS 140-3
New DS-49249, DS-49285 PingDirectory, PingDirectoryProxy, PingDataSync
Added support for setting up the server in FIPS 140-3-compliant mode using 2.x versions of the Bouncy Castle FIPS-compliant library.
To set up the server in FIPS 140-3-compliant mode, use the --fips-provider BCFIPS2
argument. You can still set up the server in FIPS 140-2-compliant mode using the --fips-provider BCFIPS1
argument.
Learn more in Setting up the server in FIPS-compliant mode.
Use OAuth scopes for ACIs on REST API endpoints
New DS-48851 PingDirectory, PingDirectoryProxy
To help isolate access to admin credentials in authentication workflows, we added the ability to use OAuth scopes to enforce ACIs for users authenticating to most Directory REST API endpoints.
When users send authentication requests with an OAuth 2.0 bearer token, they can be granted OAuth scopes by a token validator, such as PingFederate. Scope-configured PingDirectory ACIs can then be applied to those scopes, providing the permissions for the user and the request.
Learn more in Using OAuth scopes for ACI rules with the REST API.
Keep count of specific entries with a new plugin
New DS-422, DS-47690 PingDirectory
Added an entry counter plugin that can determine the number of entries in the server matching configured sets of base DN and filter criteria. The plugin returns the resulting entry counts in monitor entries and can optionally include information about the amount of space used to store those entries in the backend database.
You can also define warning and error threshold values for each criteria. If the number of matching entries reaches those thresholds, the server raises a warning or error alarm.
Learn more in Working with the entry counter plugin.
Monitor the risk of performance degradation
New DS-49116 PingDirectory
Added the db-on-disk-to-db-cache-size-ratio
monitor attribute to database environment monitor entries. Also added a gauge to monitor the attribute and raise an alert if the on-disk database size becomes eight times larger than the size of the in-memory cache, which could cause an increased risk of performance degradation.
Learn more about this monitor attribute in Server gauges.
Added key and trust manager caching
New DS-49135 PingDirectory, PingDirectoryProxy, PingDataSync
Added the ability to cache key managers and trust managers to prevent loading keystore and truststore files from disk when establishing connections to process requests. Use the enable-key-manager-caching
and enable-trust-manager-caching
configuration properties to enable or disable caching.
Learn more about key and trust manager caching in Configuring key and trust manager providers.
Added caching for expensive password storage schemes
New DS-49100 PingDirectory, PingDirectoryProxy, PingDataSync
Added a secure, in-memory cache for improving the performance of repeated authentication attempts for users with passwords encoded using expensive storage schemes, including PBKDF2, Argon2, bccrypt, and scrypt.
When a user whose password is encoded with one of these schemes tries to authenticate, the server checks the cache to see if it contains their encoded password. If not, the server verifies the password using the expensive processing required by the storage scheme and then adds it to the cache, along with a salted SHA-256-encoded representation of that password. On later authentication attempts, if the cache includes the expensive encoded password, the server can use the salted SHA-256-encoded variant to verify the password much more quickly.
The cache only holds encoded representations of passwords using the expensive storage scheme and the faster salted SHA-256 digest. It doesn’t include the plaintext representations of passwords or information that could associate an encoded password with the corresponding user account. The contents of the cache aren’t written to disk or persisted in any other way.
You can adjust the cache size by using the encoded-password-cache-size
property in the password storage scheme configuration. Setting this property to 0
disables caching for that scheme.
Learn more in Encoded password caching.
Better authentication performance for dynamic groups
Improved DS-49030 PingDirectory, PingDirectoryProxy
Dramatically reduced the time needed to authenticate in environments with a very large number of dynamic groups.
No server lockdown for missing changes from obsolete replicas
Improved DS-49070 PingDirectory
Changed replication behavior to prevent server lockdown for missing changes due to obsolete replicas. This change affects the following scenarios where, previously, these types of missing changes triggered lockdowns:
-
The
replication-purge-obsolete-replicas
global configuration property is set tofalse
. -
Not all servers in the topology support configurable missing changes.
-
The remote server indicates lockdown for replicas that are actually obsolete.
No server lockdown for missing changes after a restart
Improved DS-48972 PingDirectory
Changed the default missing changes policy from favor-integrity
to favor-availability
to prevent lockdowns for missing changes from persisting between server restarts.
Made it easier to repair topologies with missing changes
Improved DS-49063 PingDirectory
Updated the check-replication-domains
tool to distinguish between deleted and obsolete replicas, making it easier to manage missed changes when repairing a topology.
A replica listed as DELETED
has been deleted from the topology but is not yet obsolete. A replica listed as OBSOLETE
has been deleted from the topology and only contains changes older than the replication purge delay.
Mitigated a potential slowdown to server backups
Improved DS-49227 PingDirectory
Updated the server to attempt to pause backend cleaning activity while backups are in progress. If a cleaner thread removes any database files during a backup, it can cause the server to include additional files in the backup, which increases both the size of the backup and the time required to generate it. This effect can intensify when performing a rate-limited backup.
Improved password sync functionality
Improved DS-48794 PingDataSync
Added the ability to sync password changes and modifiable password policy state changes at the same time to PingDirectory sync destinations.
Allowed proxied requests for HTTP external servers
Improved DS-48729 PingDirectory, PingDirectoryProxy, PingDataSync
Updated the HTTP external server configuration to allow requests to be forwarded through an HTTP proxy server.
Made it easier to change garbage collection types
Improved DS-48966 PingDirectory, PingDirectoryProxy, PingDataSync
Added the --gcType
argument for the dsjavaproperties
tool to make it easier to change the server garbage collection type. Depending on the platform and Java version, some garbage collection types might not be recommended or supported.
Learn more in Changing the JVM garbage collector type.
Better compatibility with security scanners
Improved DS-48850 PingDirectory
To improve compatibility with third-party security scanners, HTTP response headers specified in the HTTP Connection Handler response-header
property are now included in all error responses, for example 404 NOT FOUND
.
Reduced redundant logging
Improved DS-49124 PingDirectory
Lowered the default global configuration property duplicate-error-log-limit
from 2000 to 200 to reduce redundant logging.
Removed the restart prompt when changing a certificate alias
Fixed DS-45174 PingDirectory, PingDirectoryProxy, PingDataSync
Removed the prompt to restart the LDAP connection handler component after changing the ssl-cert-nickname
configuration property because a restart isn’t required.
Fixed an issue with parsing the JAVA_HOME
path
Fixed DS-DS-49349 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where the dsjavaproperties
tool did not correctly parse the JAVA_HOME
path and threw the following error:
The old java.properties JAVA_HOME was changed because the Java installation in it is not valid. This is usually because the previous JAVA_HOME pointed to an incompatible version of Java. The previous JAVA_HOME value will remain in the generated java.properties.old file.
Changed the collect-support-data
monitor file behavior
Fixed DS-47384 PingDirectory, PingDirectoryProxy, PingDataSync
Changed the collect-support-data
tool to use the latest monitor-history
file if it can’t find ldap/monitor.ldif
when examining monitor data.
Fixed an issue with VLV index errors
Fixed DS-49296 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where untrusted VLV indexes would throw errors for irrelevant searches.
Fixed an issue with Prometheus HTTP servlet error messages
Fixed DS-49161 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where the Prometheus HTTP servlet would publish an excessive number of error messages to the error log when it lost connection to its remote counterpart.
Fixed an issue with config-diff
Fixed DS-49071 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where running the config-diff
tool would result in an Unknown property
error when comparing configuration objects of different types.
Removed suppression messages for disabled alerts
Fixed DS-49119 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where alerts types that were disabled would still output suppression messages.
Fixed server startup with third-party key manager providers
Fixed DS-49121 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue that could prevent the server from starting when configured to use a third-party key manager provider created using the Server SDK.
Fixed an issue with the Dictionary Password Validator
Fixed DS-47914 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue with the default value for dictionary-file
in the Dictionary Password Validator configuration.
Supplied missing replication error information
Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where dsreplication enable
didn’t print error information if the tool failed to establish a connection to a source or target server.
Fixed failing server upgrades using server profiles
Fixed DS-49374 PingDirectory
Fixed an issue where server upgrades using manage-profile replace-profile
failed because the default topology admin user account was reverting to the default password policy.
Fixed an issue with updating isMemberOf
values
Fixed DS-49371 PingDirectory
Fixed an issue where the server didn’t properly update isMemberOf
values as a result of a modify DN operation that renamed or moved a subtree containing one or more groups. The isMemberOf
values for those groups would continue to reflect their former DNs until a server restart.
Fixed an issue with ds-backend-entry-count
Fixed DS-49394 PingDirectory
The ds-backend-entry-count
monitor attribute for the replicationChanges
backend now correctly handles sequence number rollover so that it is accurate when more than 2,147,483,647 changes have been made.
Fixed an issue with rebuilding substring indexes
Fixed DS-49384 PingDirectory
Fixed an issue where rebuilding a substring index could either result in an error or the index not properly indexing all keys.
Removed an irrelevant validator error
Fixed DS-42343 PingDirectory
Removed an irrelevant validator error. This error was previously raised on shutdown if a server was concurrently receiving mirror subtree data from the master server.
Fixed an HTTP Connection Handler error message
Fixed DS-49364 PingDirectory
Fixed an error message caused by an improperly configured HTTP Connection Handler object so that it properly lists out the affected object names.
Fixed a userRoot
issue for server upgrades
Fixed DS-49281 PingDirectory
Fixed an issue that caused some server upgrades to fail. During an upgrade, the update tool added userRoot
entries for inverted static group support to the server configuration after the userRoot
backend had been removed.
Fixed an issue with JSON-object extensible matching filters
Fixed DS-45519 PingDirectory
Fixed an issue where JSON-object extensible matching filters of type less-than were being evaluated as type less-than-or-equals.
Fixed an issue with lost replication changes and gateways
Fixed DS-45976 PingDirectory
Fixed an issue where replication changes could be lost when sent to a location whose gateway was starting or stopping.
Fixed an issue with composite index metadata
Fixed DS-48969 PingDirectory
Fixed an issue that could cause an inconsistency in the metadata for a composite index record, which could have the following effects:
-
Validator error messages show up in the server’s error log.
-
The server returns errors in response to some requests.
-
Under rare circumstances, the server can’t bring the affected backend online.
In addition, the server now has added resiliency against these kinds of issues, allowing it to better identify the correct result set and more effectively notify administrators if it does happen.
Fixed an issue with authorization IDs and the REST API
Fixed DS-49195 PingDirectoryProxy
Fixed an issue where the Directory REST API didn’t use alternate authorization identities in entry-balanced proxy environments.
Changed proxy transformation requirements for mapped attributes
Fixed DS-48958 PingDirectoryProxy
Updated the attribute mapping proxy transformation to require that both the source and target attribute types are defined in the local schema.
This change ensures that the server uses the correct logic when interacting with values of those attributes (for example, to identify whether the attribute type is declared as single-valued or multi-valued so that it can properly format the values in REST API responses). The server now prevents adding a new instance of this proxy transformation if either of the attribute types is not defined in the schema. It also logs a warning message on startup if any existing instance of the transformation references an undefined attribute type.
Fixed an issue with character encoding for PingOne sync destinations
Fixed DS-49362 PingDataSync
Fixed an issue where an empty space character didn’t get properly encoded when URLs were sent to PingOne sync destinations.
Fixed an issue with filtering virtual attributes
Fixed DS-49290 PingDataSync
Fixed an issue with defining which entries to sync with the include-filter
property in a sync class. If the filter targeted virtual attributes with a !
(not) operator, the sync operation would fail to exclude matching entries.
Fixed an issue with error messages for sync operations
Fixed DS-49224 PingDataSync
Fixed an issue where error messages related to creating sync operations were being logged to all sync pipe log publishers rather than just the associated log publisher.
Fixed an issue with Kafka and OutOfMemory
errors
Fixed DS-48762 PingDataSync
Fixed an issue where failover instances configured with KafkaSyncDestinations
could leak KafkaProducer
objects and eventually encounter OutOfMemory
errors.
Fixed a potential NPE when loading a sync source
Fixed DS-49248 PingDataSync
Fixed a potential NullPointerException
that could occur when attempting to load changes from a sync source.
Expired certificates in keystores after running replace-certificate
Issue DS-49269 PingDirectory, PingDirectoryProxy, PingDataSync
When replacing a PingDirectoryProxy or PingDataSync certificate with the replace-certificate
tool, the old certificate gets stored in the existing keystore with an alias of .old
. Instances of PingDirectory in the configuration don’t identify this alias as an indicator of a deprecated certificate and can select the .old
certificate for use in TLS communication, potentially causing a communication failure.
To avoid this issue, you can do one of the following:
-
Set a
Null
key manager provider for all external PingDirectory servers in the configuration. -
Use the
manage-certificates delete-certificate
command to remove unused aliases from the PingDirectoryProxy or PingDataSync keystores.
Learn more about the solutions for this issue in Communication failure due to aliased expired certificate (requires authentication).
Installing in FIPS-compliant mode with Oracle JDK 17 or later
Issue DS-48832 PingDirectory
If you attempt to install PingDirectory in FIPS-compliant mode while running Oracle JDK 17 or later, the installation might fail with an error similar to the following:
Initializing ..... An error occurred while attempting to initialize the crypto manager: due to an exception in the Java security provider: NoSuchAlgorithmException: 1.2.840.113549.1.1.4 Signature not available
To avoid this issue, use OpenJDK versions 17 or 21.
Support for the HashiCorp Vault secrets engine
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine. Learn more about KV version 1 in the Vault KV secrets engine documentation.
PingDirectory suite of products 10.1.0.2 (September 2024)
Changed replication to prevent lockdown for missing changes from obsolete replicas
Improved DS-49070 PingDirectory
Changed replication behavior to prevent server lockdown for missing changes due to obsolete replicas. This change affects the following scenarios where, previously, these types of missing changes triggered lockdowns:
-
The
replication-purge-obsolete-replicas
global configuration property is set to false. -
Not all servers in the topology support configurable missing changes.
-
The remote server indicates lockdown for replicas that are actually obsolete.
Made it easier to upgrade replicated servers to version 10.1.0.2 or later
Improved DS-48798, DS-49090 PingDirectory
When upgrading a pre-9.2 PingDirectory server in a replicated topology to version 10.1.0.2 or later, the update
tool will automatically set replication-purge-obsolete-replicas
to false for that server, if not already explicitly configured.
This change helps avoid unintended consequences when upgrading a pre-9.2 replicated server, as the replication-purge-obsolete-replicas
configuration property has a value of true by default in version 9.2.
After upgrade, the update tool also displays a message with more information:
In the 9.2.0.0 release, the implicit default value for the 'replication-purge-obsolete-replicas' global configuration property changed from 'false' to 'true'. However, it should generally only be set to true if all servers in the topology are at version 9.2.0.0 or later. Because this server is being updated from a pre-9.2.0.0 version, it is possible that there are still other pre-9.2.0.0 servers in the topology. As such, the 'replication-purge-obsolete-replicas' property will be explicitly set to false for this server if it was not explicitly set. Once you have completed the upgrade across all servers in the topology so that there are no more pre-9.2.0.0 replicas, consider manually setting this property to 'true' on all servers.
PingDirectory suite of products 10.1.0.0 (June 2024)
Fixed a PingDirectoryProxy authentication issue
Security DS-48028 PingDirectoryProxy
Fixed an issue that could have allowed clients attempting to authenticate through the PingDirectoryProxy server to obtain more information in the bind response than would have been allowed if the request had been sent directly to a PingDirectory server.
Added presence component support for composite index filter patterns
New DS-18120 PingDirectory
Added the ability to use presence components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing presence attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern. Learn more about Composite index filter patterns.
Added static equality support for composite index filter patterns
New DS-18120 PingDirectory
Added the ability to use equality components with static values in composite index filter patterns, which can be useful in cases where you want to index specific attribute values that are present in a large number of entries. The index filter pattern can either be a simple static equality component, an AND filter with multiple static equality components, or an AND filter with static equality components combined with other supported filter pattern components.
Added approximate matching support for composite index filter patterns
New DS-48631 PingDirectory
Added the ability to use approximate matching components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing approximate matching attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern.
Added support for localized matching in searches
New DS-48630 PingDirectory
Added support for several collation matching rules, which allow clients to use extensible match filters to better search for entries with non-English values. Learn more about Localization of searches with collation matching.
Added a repair tool for broken trust in replicated topologies
New DS-48752 PingDirectory
Added a tool to repair broken listener certificate trust in replicated topologies. To reduce troubleshooting and speed up the repair of broken subtree mirroring in a replicated topology where listener certificates have fallen out of trust, you can use the repair-topology-listener-certificates
tool. Learn more about Repairing broken listener certificate trust in replication.
This tool is not an alternative to using the |
Added the ability to compare LDAP schemas between servers
New DS-47930 PingDirectory, PingDirectoryProxy
Added the compare-ldap-schemas
tool to identify differences between the schemas of two LDAP servers.
Added a configurable limit for subtree modification
New DS-47316 PingDirectory
Added the subtree-modify-dn-size-limit
configuration property for local DB backends. By default, the server now rejects modify DN operations in which the target entry has more than 100 subordinate entries, which can help protect against inadvertent and potentially expensive subtree moves or renames.
With this property, subtree modify DN operations can be completely disabled, limited to subtrees of a specified maximum size, or allowed for subtrees of any size.
Added client connection info in request-type access logging
New DS-48614 PingDirectory
Added the include-connection-details-in-request-messages
property to allow you to add details about client connections in request-type access log messages. The property is disabled by default. Learn more about Adding connection information to request-type log messages.
Added the ability to exclude error log messages
New DS-48581 PingDirectory, PingDirectoryProxy, PingDataSync
Added the ability to exclude specific error log messages to help simplify server administration. You can configure several criteria to determine which messages to exclude. Learn more about Excluding specific log messages.
Added boolean attribute support for Prometheus metrics
New DS-47286 PingDirectory
Added support for boolean attributes in Prometheus monitor metrics. These metrics can be used for monitor attributes that have values such as true
, false
, enabled
, disabled
, yes
, no
, on
, off
, 1
, or 0
. The server sends a gauge metric to Prometheus with a value of 1
or 0
to represent these values. Learn more about Customizing published metrics.
Added obfuscation for sensitive Kafka values
New DS-48216 PingDataSync
Added the sensitive-kafka-producer-property
configuration object to enable you to obscure sensitive producer property values, such as keys or passwords. Learn more about Obscuring sensitive producer property values.
Added support for PKCS11 key wrapping transformations
New DS-48514 PingDirectory
For environments that require specific key wrapping transformations, we added the ability to use dsconfig
to update the key-wrapping-transformation
property for PingDirectory PKCS11 cipher stream providers.
Added a password verification extended operation
New DS-48662 PingDirectory, PingDirectoryProxy
Added support for an extended operation to verify passwords, which can be used to determine whether a specified password is correct for a given user without performing any other password policy processing. Support for this operation is disabled by default. Learn more about The verify password extended operation.
Added support for synchronizing account lock statuses from PingOne
Improved DS-47933 PingDataSync
Increased the consistency of enterprise-wide user statuses by adding support for synchronizing account lock status events from a PingOne source. Learn more about Synchronizing PingOne account status with PingDirectory.
Enabled candidate set caching to improve indexed search performance
Improved DS-48530 PingDirectory
Added a configuration property that enables you to cache the candidate set for indexed search requests that include the simple paged results request control. By default, the server recomputes the candidate set for each page of results retrieved from the server. With caching enabled, the server can reuse the same candidate set across all pages without needing to recompute it each time.
Learn more about optimizing paged searches using caching.
Reduced the performance impact of exploded index cleanup processing
Improved DS-48672 PingDirectory
Reduced the performance impact of the background cleanup processing that occurs when an exploded index key exceeds the index entry limit.
Previously, performance of other write operations had been substantially degraded while the cleanup was in progress and, under certain circumstances, could have caused the server to appear unresponsive. Now, the background cleanup processing might take significantly longer but has much less impact on other operations while that cleanup is in progress.
Increased the speed of search results
Improved DS-48075 PingDirectory
Updated the server to allow it to start returning matching entries more quickly and with reduced memory consumption when processing a search request that can be perfectly satisfied by a single composite index key.
Increased the server startup speed
Improved DS-48869 PingDirectory, PingDirectoryProxy, PingDataSync
Changed the default behavior of the interactive setup to not prime the database by preloading its contents.
Increased throughput in backend DB environments
Improved DS-48827 PingDirectory
Increased write throughput and significantly reduced response time outliers in backend DB environments.
Improved performance for servers with large configuration archives
Improved DS-48875 PingDirectory, PingDirectoryProxy, PingDataSync
Changed the configuration archive to retain a maximum of 100 previous configurations by default to alleviate the performance impact of large archives.
Improved server guidance around attribute and composite indexes
Improved DS-48670, DS-5357 PingDirectory
Updated the server to raise an alert or log a warning message when attribute index entry limits are set too high and to recommend the use of composite indexes instead. High index entry limits can lead to performance issues for attribute indexes, and composite indexes offer much better performance and scalability for index keys that match a large number of entries.
Reduced memory pressure for dynamic group caching
Improved DS-44929 PingDirectory
Reduced the amount of memory needed to cache information about dynamic groups.
Enabled data imports to ignore duplicate attribute values
Improved DS-48603 PingDirectory
Updated the import-ldif
tool to add an --ignoreDuplicateAttributeValues
argument. By default, the tool rejects any entries that contain duplicate values within the same attribute, but this new argument causes it to behave as if each value had only been provided once.
Enhanced the configurability of ACI rights for adding entries
Improved DS-48516 PingDirectory
Added the evaluate-target-attribute-rights-for-add-operations
configuration property to the access control handler to correct a behavior where the bind user required an allow add
ACI for only one attribute of an entry to add the entry.
With this property enabled, the bind user must have an allow add
ACI for all attributes of an entry to add the entry. To avoid changing existing functionality, evaluate-target-attribute-rights-for-add-operations
is disabled by default. Learn more about Changing the allow add ACI behavior for entries.
Increased replication speed
Improved DS-48826 PingDirectory
Increased throughput for replicated operations.
Made schema replication more efficient
Improved DS-48343 PingDirectory
Made schema replication more efficient by not sending, and by not applying, update messages that don’t need to be applied. This is done by calculating the generation ID correctly, setting replication operational attributes in the schema backend, and by noting the changes most recently applied in the replicationChanges
backend.
Improved obsolete replica logic
Improved DS-48800 PingDirectory
Improve obsolete replica logic so that replication more accurately determines if a replica is obsolete.
Increased the efficiency of replication backlog health checks
Improved DS-48552 PingDirectoryProxy
Made the server health check for the replication backlog more efficient.
Reduced the size of replication monitor messages
Improved DS-48058 PingDirectory
To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message
global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.
Reduced the retrieval time for the percentage of undeletable files
Improved DS-45172 PingDirectory
Used caching to speed up the Database Environment monitor entry retrieval of the percentage of undeletable database files.
Expanded the controls for export-reversible-passwords
Improved DS-48022 PingDirectory
Updated the export-reversible-passwords
tool to allow you to specify base DNs for entries to include in or exclude from the export.
Made it easier to upgrade the Password Sync Agent
Improved DS-17945, DS-48793 PingDataSync
Made it easier to install and upgrade the Password Sync Agent by clarifying and expanding the documentation.
Enhanced debug support for CLI tools
Improved DS-48239 PingDirectory, PingDirectoryProxy, PingDataSync
Added debug logging support to a number of command-line tools. Use the --help-debug
argument to see the relevant arguments.
Added a timeout for long-running exec alert commands
Improved DS-48724 PingDirectory
Added a timeout feature that automatically terminates the execution of a long-running command or script initiated by the exec alert handler. The command-timeout
attribute controls the time limit and has a default value of 1 hour. To disable this timeout, you can change the command-timeout
value to 0 s
. Learn more about Changing the timeout for an exec alert handler.
Enabled expensive operations access logging by default
Improved DS-48856 PingDirectory, PingDirectoryProxy, PingDataSync
Made a configuration change to have the expensive operations access logger enabled by default. Any operations that take at least one second to complete will be logged to the logs/expensive-ops
file.
Added cipher re-initialization logic for performance improvement
Improved DS-48893 PingDirectory
Added the always-reinitialize-cached-cipher-instances
configuration property to specify whether ciphers retrieved from an internal cache should always be re-initialized using Cipher.init()
before re-use, or whether re-initialization can be skipped if the cipher has not been used to encrypt or decrypt data since a previous call to Cipher.init()
or Cipher.doFinal()
.
This new property defaults to true
, unless the server is running in FIPS 140-2-compliant mode. Skipping unnecessary re-initialization of cached ciphers results in greatly improved performance for implementations such as BCFIPS AES/CBC/PKCs5Padding.
Fixed an issue with inconsistency in paged search results
Fixed DS-46808 PingDirectory, PingDirectoryProxy
Fixed an issue where PingDirectoryProxy could have returned an inconsistent number of entries for paged search requests. Now, to ensure consistency in the returned entries, PingDirectoryProxy sends each paged search request to one server.
Fixed an encoding issue with UTF-8 in URI search filters
Fixed DS-48300 PingDirectory, PingDataSync
Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.
Fixed an issue with syncing modified PingOne attributes
Fixed DS-48669 PingDataSync
Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only
resulted in changed attributes not being properly synced over.
Fixed an issue with VLV indexes and extensible match filters
Fixed DS-48026 PingDirectory
Fixed an issue that could have prevented the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch
or relativeTimeExtensibleMatch
matching rules.
Fixed an issue with inconsistent entryUUID
values across servers
Fixed DS-48678, DS-48720 PingDirectory
Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID
values for the same entry on different servers.
Fixed an issue with attribute value duplication
Fixed DS-48585 PingDirectory
Fixed an issue where replace operations that targeted attributes with subordinate types would cause the subordinate attribute values to be duplicated.
Fixed a replication issue with an Invalid host
error
Fixed DS-48311 PingDirectory
Fixed an issue where disabling replication with a missing hostname sometimes caused dsreplication status
to fail with an Invalid host
error.
Fixed a configuration change issue when replacing profiles
Fixed DS-45783 PingDirectory, PingDirectoryProxy, PingDataSync
Resolved an issue where running the manage-profile replace-profile
command could cause dsconfig
changes to be made out of order.
Fixed an issue with an encryption alarm
Fixed DS-46533 PingDirectory
Fixed an issue where the Strong Encryption Not Available Gauge had a value of INDETERMINATE
and showed an alarm, even when the JVM supported strong encryption. Also changed the name of this gauge to Strong Encryption Available to avoid confusion in the event of an alarm being raised.
Fixed an issue with the PSA updating the wrong entries
Fixed DS-48358 PingDataSync
Fixed an issue where the PSA could update incorrect entries upon a password change if there were users with the same sAMAccountName in a forest.
Fixed an issue with entry modification in replication
Fixed DS-48491 PingDirectory
Fixed an issue that could prevent a modify request from adding real attribute values to a replicated entry that already had one or more virtual values for that attribute.
Fixed an issue with indexing entries while debugging
Fixed DS-48723 PingDirectory
Fixed an issue where an untrusted composite index would prevent entries matching that index from being added or modified if a debug log publisher was enabled for the composite index.
Fixed an error message in the Delegated Admin report
Fixed DS-48774 PingDirectory, PingDirectoryProxy
Removed a stack trace from the error message returned when generating a Delegated Admin report with an invalid SCIM filter.
Fixed a null pointer exception in replication
Fixed DS-48796 PingDirectory
Fixed an NPE error that could occur when running the dsreplication enable
command in interactive mode.
Fixed an issue with installing PingDirectory in FIPS mode
Fixed DS-48834 PingDirectory
Resolved an issue where installing the PingDirectory server in FIPS-compliant mode would sometimes fail with an error stating that a configuration file entry had the same DN as another entry already read from that file.
Fixed a rare startup error related to replication and sleep values
Fixed DS-48897 PingDirectory
Fixed a rare issue where the server could have experienced an IllegalArgumentException
on startup due to a negative sleep value when one or more replication servers wasn’t online.
Support for the HashiCorp Vault secrets engine
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine. Learn more about KV version 1 in the Vault KV secrets engine documentation.
PingDirectory suite of products 10.0.0.4 (October 2024)
Changed replication to prevent lockdown for missing changes from obsolete replicas
Improved DS-49070 PingDirectory
Changed replication behavior to prevent server lockdown for missing changes due to obsolete replicas. This change affects the following scenarios where, previously, these types of missing changes triggered lockdowns:
-
The
replication-purge-obsolete-replicas
global configuration property is set to false. -
Not all servers in the topology support configurable missing changes.
-
The remote server indicates lockdown for replicas that are actually obsolete.
Made it easier to upgrade replicated servers to version 10.0.0.4 or later
Improved DS-48798, DS-49090 PingDirectory
When upgrading a pre-9.2 PingDirectory server in a replicated topology to version 10.0.0.4 or later, the update
tool will automatically set replication-purge-obsolete-replicas
to false
for that server, if not already explicitly configured.
This change helps avoid unintended consequences when upgrading a pre-9.2 replicated server, as the replication-purge-obsolete-replicas
configuration property has a value of true
by default in version 9.2.
After upgrade, the update tool also displays a message with more information:
In the 9.2.0.0 release, the implicit default value for the 'replication-purge-obsolete-replicas' global configuration property changed from 'false' to 'true'. However, it should generally only be set to true if all servers in the topology are at version 9.2.0.0 or later. Because this server is being updated from a pre-9.2.0.0 version, it is possible that there are still other pre-9.2.0.0 servers in the topology. As such, the 'replication-purge-obsolete-replicas' property will be explicitly set to false for this server if it was not explicitly set. Once you have completed the upgrade across all servers in the topology so that there are no more pre-9.2.0.0 replicas, consider manually setting this property to 'true' on all servers.
Reduced the retrieval time for the percentage of undeletable files
Improved DS-45172 PingDirectory
Used caching to speed up the retrieval of the percentage of undeletable database files for the Database Environment monitor entry.
Fixed a config-diff
error
Fixed DS-49071 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where config-diff
would result in an Unknown property
error when comparing configuration objects of different types.
Fixed a server startup issue
Fixed DS-49121 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue that could prevent the server from starting when configured to use a third-party key manager provider created using the Server SDK.
PingDirectory suite of products 10.0.0.3 (July 2024)
Increased replication speed
Improved DS-48826 PingDirectory
Increased throughput for replicated operations.
Reduced the size of replication monitor messages
Improved DS-48058 PingDirectory
To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message
global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.
Supplied missing replication error information
Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync
Fixed an issue where dsreplication enable
didn’t print error information if the tool failed to establish a connection to a source or target server.
Fixed a configuration change issue when replacing profiles
Fixed DS-45783 PingDirectory, PingDirectoryProxy, PingDataSync
Resolved an issue where running the manage-profile replace-profile
command could cause dsconfig
changes to be made out of order.
Fixed an issue with syncing modified PingOne attributes
Fixed DS-48669 PingDataSync
Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only
resulted in changed attributes not being properly synced over.
Fixed an issue with inconsistent index metadata
Fixed DS-48969 PingDirectory
Fixed an issue that could cause an inconsistency in the metadata for a composite index record. This inconsistency could cause:
-
Validator error messages in the server’s error log
-
Error responses to some server requests
-
Failure to bring the affected backend online (rare)
In addition, the server now has added resiliency against these kinds of issues, with a better ability to identify the correct result set and notify administrators of the issue.
Fixed a null pointer exception in replication
Fixed DS-48796 PingDirectory
Fixed an NPE error that could occur when running the dsreplication enable
command in interactive mode.
Fixed an issue with inconsistent entryUUID
values across servers
Fixed DS-48678, DS-48720 PingDirectory
Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID
values for the same entry on different servers.
Fixed an issue with VLV indexes and extensible match filters
Fixed DS-48026 PingDirectory
Fixed an issue that could prevent the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch
or relativeTimeExtensibleMatch
matching rules.
PingDirectory suite of products 10.0.0.2 (March 2024)
Added logging history for the setup
tool
Improved DS-47831 PingDirectory
A copy of the setup
script output is now saved to an archive file in the /history
directory. This should help with troubleshooting installations where multiple server images have been extracted on top of each other and setup
has been run multiple times.
Fixed an encoding issue with UTF-8 in URI search filters
Fixed DS-48300 PingDirectory, PingDataSync
Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.
PingDirectory suite of products 10.0.0.1 (January 2024)
Fixed a memory issue introduced in 10.0 that could have caused the server to crash
Fixed DS-48599 PingDirectory
We fixed an uncommon issue that was causing memory usage to spike, possibly crashing the PingDirectory server.
With this issue present, when clients performed atypical modify
operations, they might have populated entries with duplicate attribute values. If clients repeated these modifications, over time, the duplicate attribute values could have caused the server to consume a substantial amount of memory, which might have eventually caused the server to shut down with an out-of-memory error.
PingDirectory suite of products 10.0.0.0 (December 2023)
What’s new in the PingDirectory 10.0 suite of products?
New
- PingDirectory
-
-
Historically, LDAP servers favor data integrity over resiliency. However, given the growth in customer topologies, there is a strong requirement for maintaining production server uptimes to meet customer expectations. In this environment, servers can be removed from the topology frequently, and if the server is down longer than the configured replication purge delay, problems could arise once the server is brought back online. In this release, a new feature allows you to configure the level of availability when encountering this issue during topology management.
-
Static groups, which are the simplest and most commonly used type of group, explicitly list the DNs of group members. Server performance when adding or removing members from a static group depends partially on the group size itself, but we have identified a number of further inefficiencies in how the server handles static group membership changes. This release includes changes to improve performance when updating static groups.
This release also introduces a new group type: inverted static groups. As with traditional static groups, inverted static group membership is explicitly defined rather than automatically determined. However, instead of storing the entire list of members in the group entry, each user entry lists the set of inverted static groups in which that user is a member. Inverted static groups with a large number of members can be more efficient to maintain than traditional static groups, because the change needed to add or remove a user only requires updating the user entry, which is not affected by the number of members in the group. The server also provides an optional plugin that allows an inverted static group to be updated as if it were a traditional static group, intercepting attempts to alter the membership attribute in the group entry itself and making the corresponding changes in user entries instead.
-
PingDirectory allows clients to interact with the server using a REST API over HTTP as an alternative to LDAP. Recent updates to the Directory REST API, including the addition of support for controls and select extended operations, have improved feature parity between the REST-based and LDAP-based interfaces, creating a more robust experience for developers using the REST API.
While it is possible to authorize individual requests using either HTTP basic authentication (using the DN and password of the target user) or with an OAuth 2 access token obtained through another service, the Directory REST API didn’t provide a fine-grained way of verifying user credentials. This release introduces a new
authenticate
endpoint, which provides a way for Directory REST API clients to verify user credentials. This enables you to better differentiate authentication failures from authorization failures, and to obtain an access token to use in authorizing subsequent requests as a specific user. Users can be identified with either a DN or a username, and the credentials may include a static password on its own or in conjunction with a delivered one-time password, a time-based one-time password, or a one-time password generated by a YubiKey device. -
PingDirectory has always offered support for defining deprecated password storage schemes. If a user successfully authenticates and provides the server their clear-text password, and if their password is currently encoded with an undesirable scheme, the server can automatically re-encode their password using a more desirable scheme. This release expands on this functionality by making it possible to re-encode passwords if the configuration of the underlying scheme has changed in a way that affects the scheme’s stored representation.
For example, if a user’s password is encoded using the PBKDF2 scheme, the server can now automatically re-encode the password if their stored password uses a digest algorithm, iteration count, salt length, or derived key length that doesn’t match the current configuration of that scheme. PingDirectory has also long supported the Pwned Passwords service, rejecting attempts to set passwords that are known to have been compromised. In the past, interaction with the Pwned Passwords service used a hard-coded timeout of 30 seconds in case the service became unreachable or unresponsive. You can now customize that timeout.
-
PingDirectory uses the Berkeley DB Java Edition to store its data, and this database library offers support for caching some or all of the data in memory for faster access. PingDirectory also allows administrators to configure separate backends to hold different portions of the DIT. Previously, the server maintained a separate database cache for each backend, requiring the administrator to adjust the percentage of the JVM’s memory that each backend is allowed to consume. This release now enables you to share a common database cache across all backends. Although this capability is disabled by default, it can simplify the server configuration by only requiring administrators to specify the total percentage of JVM memory to use for caching, without needing to configure caching separately for each backend.
-
Amazon’s Simple Storage Service (S3) is a popular cloud-based data storage service that can be used as a convenient off-site backup mechanism. In the past, some PingDirectory server administrators have chosen to manually copy certain types of files (for example, LDIF exports or rotated log files) to an S3 bucket as an additional layer of safety in their disaster recovery strategy. This release introduces direct support for using the S3 service as a way of backing up LDIF exports and log files.
This release offers support for post-LDIF-export task processors. This enables you to automatically perform additional processing after successfully completing an LDIF export, including exports created as part of a recurring task. We have included an implementation that can copy the resulting export file to a specified S3 bucket for safekeeping, and it can automatically remove older export files from that bucket based on the number or age of files in that bucket. It is also possible to use the Server SDK to develop custom post-LDIF-export task processor implementations to perform other kinds of processing after an export completes.
This release offers a new log file rotation listener that can automatically copy log files to a specified S3 bucket as soon as they have been rotated out of place. This support is available for most types of log files that the server can generate, and it also supports automatic retention based on the number or age of the files in the bucket. The server now includes a new
amazon-s3-client
command-line tool that can be used to manually interact with the S3 service. This tool can be used to manually manage buckets and files contained in the S3 service, including uploading files to or downloading files from a specified bucket.-
This release includes changes to dramatically improve performance when creating a backup, restoring a backup, or performing online replica initialization.
-
Fixed a security issue
Security DS-47632 PingDirectory, Delegated Admin
Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039 (requires sign-on).
Added an amazon-s3-client
command-line tool
New DS-47965 PingDirectory
Added a new amazon-s3-client
command-line tool that can be used to interact with the Amazon AWS Simple Storage Service (S3) service. This tool enables you to list, create, and delete buckets, as well as list, upload, download, and delete files in a specified bucket. This may be useful in deployments where the server is configured to automatically copy rotated log files or exported LDIF files to the S3 service.
Added a request control to Directory REST API
New DS-47899 PingDirectory
Added support for access log field request control in Directory REST API requests.
Added a new /authenticate
endpoint to the Directory REST API
New DS-47596 PingDirectory, PingDirectoryProxy
Added an /authenticate endpoint to the Directory REST API that enables users to generate an access token by providing combinations of valid credentials, depending on the authentication type specified in the HTTP request body. The supported authentication types are:
-
password
-
passwordPlusTOTP
-
passwordPlusDeliveredOTP
-
passwordPlusYubiKeyOTP
For more information on the /authenticate
endpoint, see Managing the Directory REST API.
Added five new Directory REST API endpoints to support the /authenticate
endpoint
New DS-47641, DS-47642, DS-47644, DS-47645, DS-47646, DS-47643, DS-47648 PingDirectory
Added five new Directory REST API endpoints to support the new /authenticate
endpoint. These endpoints enable users to interact with supporting services that facilitate the creation, delivery, and revocation of one-time passwords (OTP) and time-based one-time passwords (TOTP), which are required to perform authentication operations with the API. These endpoints include:
-
/directory/v1/{dn}/generateTOTPSharedSecret
-
/directory/v1/{dn}/revokeTOTPSharedSecret
-
/directory/v1/deliverOneTimePassword
-
/directory/v1/{dn}/registerYubiKeyOTPDevice
-
/directory/v1/{dn}/derigesterYubiKeyOTPDevice
For more information on these endpoints, see Managing the Directory REST API.
Added support for the 2b password storage variant
New DS-48119 PingDirectory
Updated the bcrypt password storage scheme to include support for the 2b variant in addition to the existing 2y, 2a, and 2x variants.
Added support for post-LDIF-export task processors
New DS-47420 PingDirectory
Added support for post-LDIF-export task processors to use in performing custom processing whenever an LDIF export task (including those invoked as part of a recurring task) successfully completes the export.
These processors include an Upload to S3 processor, which can be used to upload the resulting LDIF file to a specified Amazon S3 bucket. You can also use the Server SDK to create custom post-LDIF-export task processors. For more information, see Performing post-LDIF-export task processing.
Added support for inverted static groups
New DS-46026 PingDirectory
Added support for inverted static groups, which operate like traditional static groups in that membership is explicitly specified rather than dynamically determined, but where membership information is stored in user entries rather than in the group entry. For groups with a large number of members, inverted static groups may exhibit substantially better performance than traditional static groups.
Although it is not enabled by default, the server also provides a new plugin that makes it possible for clients to interact with inverted static groups in much the same way as they interact with traditional static groups. The plugin will intercept attempts to add or remove member DNs in the group entry itself and will instead cause the corresponding changes to be applied in the member entries. It also provides limited support for interacting with group members in the group entry for search and compare operations as if the member DNs actually existed in the group entries. For more information, see Using inverted static groups.
Added a split-ldif
tool
New DS-48018 PingDirectory, PingDirectoryProxy
Added a split-ldif
tool that can be used to split an LDIF file into multiple segments, with each having a subset of the entries below a specified base DN, and entries at or above that base DN will be included in all sets. This is primarily intended for splitting a large data set for use in entry balancing, and it offers several algorithms for dividing the entries between segments.
Added a new HTTP Connection configuration property
New DS-48055 PingDirectory
Added a new HTTP Connection configuration property to enable SNI hostname checks, which are now disabled by default.
Added a new configuration property for replication servers
New DS-47888 PingDirectory
Added the include-all-remote-servers-state-in-monitor-message
configuration property to control whether replication monitor messages include information about remote servers. By default, the property is set to true
so that information about remote servers is sent. Setting the property to false
may be helpful in large topologies because the size of monitor messages scales with the number of servers.
Added a new log file rotation listener
New DS-47627
Added a new log file rotation listener that can be used to upload newly rotated log files to a specified Amazon S3 bucket. The listener can remove previously updated log files based on the specified number or age of files to retain.
Added the ability to share a single database cache
New DS-47756 PingDirectory
Added the ability to share a single database cache across all local DB backends. This is an alternative to the default behavior in which each local DB backend maintains its own independent database cache, and it can simplify cache sizing in deployments with multiple local DB backends. This behavior is controlled by two new global configuration properties:
-
use-shared-database-cache-across-all-local-db-backends
: Indicates whether to use a shared database cache. If this property is set totrue
, then all local DB backends will use a shared database cache, and you must set the property to specify the size of that shared cache. If the property is set tofalse
(the default value), then each local DB backend will maintain its own independent database cache with a size specified by thedb-cache-percent property
configuration property for that backend. -
shared-local-db-backend-database-cache-percent
: Specifies the percentage of the total JVM heap size that will be used for the shared database cache. This property will only be used if theuse-shared-database-cache-across-all-local-db-backends
property is set totrue
, in which case the server will ignore thedb-cache-percent property
in the backend configuration.
If a shared database cache is enabled, the server will expose a Shared Local DB Backend Database Cache
monitor entry with information about that shared cache, including how much of the cache is consumed by each of the backends.
Added the re-encode-passwords-on-scheme-config-change
property to password policy configuration
New DS-35739 PingDirectory
Added the re-encode-passwords-on-scheme-config-change
property to the password policy configuration to indicate if the server should automatically re-encode passwords that are encoded with settings that don’t match the scheme’s current configuration. If a user authenticates with a mechanism that provides their password unencoded, and if the password stored in their entry is encoded with settings that don’t match the current configuration for the associated password storage scheme, then the server now automatically re-encodes their password with the default password storage scheme(s) using the current settings. The following password storage schemes support this functionality: AES256
, ARGON2
, ARGON2D
, ARGON2I
, ARGON2ID
, BCRYPT
, PBKDF2
, SCRYPT
, SSHA
, SSHA256
, SSHA384
, and SSHA512
.
You can also implement this capability for custom password storage schemes developed with the Server SDK.
The ds-pwp-state-json
virtual attribute provider has also been updated with a new has-password-encoded-with-non-current-settings
field whose value indicates if the user’s password is encoded with settings that don’t match the current configuration, and a new non-current-password-storage-scheme-settings-explanations
field that can provide additional details on how the password encoding differs from the current configuration.
Added new arguments to the encrypt-file
tool
New DS-47612 PingDirectory
Added a --re-encrypt
argument to the encrypt-file
tool to read the contents of an existing encrypted file and re-encrypt it with a different encryption settings definition or user-supplied passphrase. If the file is currently encrypted with a user-supplied passphrase, then the --prompt-for-current-passphrase
or --current-passphrase-file
argument should be used to supply the current encryption passphrase. If the file is currently encrypted with an encryption settings definition, then that definition will automatically be obtained from the encryption settings database.
Added a --find-encrypted-files
argument to the encrypt-file
tool to identify encrypted files in a specified location on the filesystem. By default, the tool will search for files that are encrypted with any encryption settings definition or a user-supplied passphrase, but it can be used in conjunction with the --encryption-settings-id
argument to only identify files that are encrypted with the specified definition.
These new arguments can be useful when migrating away from a former encryption settings definition, particularly if the former definition will eventually be removed from the encryption settings database. If a definition is removed from the encryption settings database, any files encrypted with that definition will no longer be accessible.
Added the replication-missing-changes-policy
configuration property
New DS-45452, DS-47383 PingDirectory
Added a replication-missing-changes-policy
configuration property for both replication servers and replication domains to control how replication handles missing changes. This property can be used to avoid missing changes lockdown in cases where such lockdown is not beneficial to the server.
When the missing changes policy is modified, connections are restarted so that the missing changes state can be reevaluated. Lockdown mode is not cleared, but may be cleared by running the leave-lockdown-mode
tool.
Added support for an access log field request control
New DS-47557 PingDirectory, PingDirectoryProxy
Added support for an access log field request control to specify field names and values that should be included in the access log message for the associated operation.
Added support for a [.codeph]``generate access
token`` request control [.ping_changetype-new]#New# [.ping_ticket]#DS-47570# [.ping_product]#{pingdir}, {pdproxy}#
Added support for a generate access token
request control that can be included in a bind request to indicate that the server should generate and return an access token in the bind response. That access token may be used in conjunction with the OAUTHBEARER SASL mechanism to authorize subsequent connections by that client. This can be useful in cases where the initial authentication should be performed in a manner that involves single-use credentials like a time-based one time password, a delivered one-time password, or a one-time password generated by a YubiKey device, but the client wishes to establish multiple connections in which the initial credentials cannot be replayed.
Removed support for Java 8
Info DS-47558 PingDirectory
Removed support for Java 8 in the PingDirectory server. For more information, see System requirements. For information on upgrading from a PingDirectory instance installed with Java 8, see PingDirectory, PingDirectoryProxy, and PingDataSync.
Removed support for two dsreplication
subcommands
Info DS-47916 PingDirectory
Removed support for the deprecated remove-defunct-server
and cleanup-local-server
dsreplication
subcommands. To remove a defunct server from the topology, use the remove-defunct-server
command-line tool. To clean up topology references on a server, run remove-defunct-server --performLocalCleanup
.
Removed the PingDataMetrics Server
Info DS-46012 PingDataMetrics
PingDataMetrics was previously deprecated and has been removed from this release. For more information about support for versions of PingDirectory containing PingDataMetrics, see Ping Identity’s End-of-Life Policy (sign on required).
To monitor and provide statistics for your PingDirectory suite of products, see Monitoring PingDirectory metrics with Splunk and Monitoring server metrics with Prometheus.
Improved communication with external HTTP services
Improved DS-47454 PingDirectory
Updated the server to allow configuration of connect and response timeouts when communicating with external HTTP services, such as CyberArk Conjur and HashiCorp Vault instances, the Pwned Passwords service, and YubiKey OTP validation servers.
Updated zip compression process
Improved DS-45148 PingDirectory
To improve server performance and prevent invalid block type errors, java.util.zip
will now be used instead of com.jcraft.jzlib
for zip compression.
Improved how the replication generation ID is calculated
Improved DS-47695 PingDirectory
The replication generation ID, a value used by replication to determine if replicas are compatible and can be replicated, will now be calculated in a way that is independent of the disk order in which the entries are stored. This is helpful when entries are imported into new servers instead of being initialized.
Improved password security when using the Directory REST API
Improved DS-48092 PingDirectory
To increase password security when using the Directory REST API, we improved the sanitization of password-related data in API responses.
Improved server upgrade times
Improved DS-47799 PingDirectory
Improved server upgrade times by streamlining the post-upgrade stability checks.
Improved memory handling for export-ldif
and backup
tools
Improved DS-44417 PingDirectory
To help avoid excessive memory pressure on a server running multiple processes, we reduced the JVM memory requirements for the export-ldif
and backup
command-line tools.
Updated the backup
tool to include a compression warning
Improved DS-48121 PingDirectory
To help you manage your backup and restore times, the backup
tool now displays a warning when you run it with the --compress
flag on an encrypted backend.
Updated dsreplication
tool to avoid overwrites
Improved DS-47820 PingDirectory
dsreplication
commands that produce an error are now archived to avoid being overwritten. In addition, the dsreplication
command now logs subcommands in separate files.
Improved performance for backup, restore, and online replica initialization
Improved DS-45157 PingDirectory
Significantly improved the performance times of backup, restore, and online replica initialization processes.
Improved performance of static group updates
Improved DS-47402, DS-47410, DS-47412, DS-47413 PingDirectory
Improved performance when making updates to static groups.
Updated the handling of extraneous data when syncing with Active Directory
Improved DS-46635 PingDataSync
For Active Directory Sync sources, when setting the startpoint to end-of-changelog
, extraneous data is no longer sent from the Active Directory server to the Sync server. With this update, setting the startpoint should be faster, particularly for slow networks.
Fixed an issue when initializing subhandlers on startup
Fixed DS-48046 PingDirectory
Fixed an issue where an AggregatePTAhandler’s subhandlers sometimes did not properly initialize on startup and threw a NullPointerException
.
Fixed a logging issue when using proxied authorization
Fixed DS-48157 PingDirectory
Fixed an issue where the server did not properly log the alternative authorization DN for multi-update extended operations that used proxied authorization.
Fixed a duplication issue when running dsjavaproperties --initialize
Fixed DS-45206
Fixed an issue where running dsjavaproperties --initialize
would append duplicate arguments to common.java-args
in the java.properties
file.
Fixed an issue with error logging
Fixed DS-48084 PingDirectory
Fixed an issue where a cn=config does not exist
error message would appear in the error logs after navigating to the status page of the administrative console.
Fixed an issue with running manage-profile generate-profile
on an upgraded instance
Fixed DS-47381
Fixed an issue where running manage-profile generate-profile
on an instance that had been upgraded from an earlier version would result in a profile that contained commands that were part of the upgrade, and could not be used to set up new installations.
Fixed an issue with password validation
Fixed DS-47875 PingDirectory
Fixed an issue where the Dictionary password validator would sometimes incorrectly handle dictionary words contained as password substrings.
Fixed an issue that prevented use of the Changelog Password Encryption plugin in replicated environments
Fixed DS-48205 PingDirectory
Fixed an issue where the Changelog Password Encryption plugin would not work properly in a replicated environment if a password was changed with a Password Modify extended operation.
Fixed issues with rootDSE search
Fixed DS-47821 PingDirectory
Fixed an issue where an ldapsearch for rootDSE did not exclude the baseDNs that were specified in a client connection policy.
Fixed an incorrect help text suggestion when running dsreplication initialize
Fixed DS-47878 PingDirectory
Fixed an issue where help text incorrectly suggested using the --force
flag if unable to connect to the server properly when running dsreplication initialize
.
Fixed issues with password history
Fixed DS-47798, DS-47898, DS=47924 PingDirectory
Fixed an issue that could prevent the server from properly updating a user’s password history for a password change if the request included the password update behavior request control, indicating that password history violations should be ignored. This control is designed to prevent the server from rejecting an attempt to change a user’s password if the new password is already in the history, but it incorrectly caused the server to skip all password history processing for the update.
Fixed an issue that could cause the server to add two copies of the current password into the password history when setting a new password with the password modify extended operation. This did not affect password changes with a regular LDAP modify operation.
Fixed an issue where the server could incorrectly allow a user to set an empty password in cases where none of the configured password validators would have rejected an empty password.
Fixed the server’s handling of compact values for the ds-cfg-allow-pre-encoded-passwords
attribute
Fixed DS-43034, DS-47832 PingDirectory
Fixed a regression that was introduced in the 9.3.0.0 release to allow additional values for the allow-pre-encoded-passwords
property in the password policy configuration. This issue only affects password policies stored outside of the server configuration in local DB backends, and only those policies that include the ds-cfg-allow-pre-encoded-passwords
attribute.
This fix enables the server to recognize and properly interpret compacted values for the ds-cfg-allow-pre-encoded-passwords
attribute when parsing a password policy definition contained in a local DB backend. When the password policy entry is retrieved, the attribute may still appear to have a corrupt value, as the value that is actually stored in the entry would still represent the compacted token rather than the logically equivalent Boolean value. Replacing the value of the ds-cfg-allow-pre-encoded-passwords
attribute in affected entries with the appropriate value is the best way to address this issue.
Fixed an issue with replace modifications for attributes
Fixed DS-47975 PingDirectory
Fixed an issue that could prevent replace modifications for attribute types with subordinate types from being properly applied.
Fixed the server’s handling of SCIM patch operations including empty arrays
Fixed DS-47790 PingDirectory
Fixed an issue where the Configuration API treated SCIM patch operations with empty arrays as invalid. Now, the API resets configuration attributes for replace operations with an empty array and ignores add operations with an empty array.
Fixed the server’s handling of search operations
Fixed DS-47585 PingDirectory
Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. The server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys, the allowed time limit could be exceeded in that portion of the processing.
Fixed an issue with encryption settings initialization
Fixed DS-47784 PingDirectory
Fixed an issue where encryption settings were not initialized before initializing password policy components when running remove-defunct-server
against servers configured with an AES256 password storage scheme.
Fixed an issue with expensive operation logging
Fixed DS-47614 PingDirectory
Fixed an issue that caused the server to incorrectly include client certificate messages in the expensive operations log.
Fixed an issue with LDAP Connection Handler objects
Fixed DS-46312
Fixed an issue where the absence of the request-handler-per-connection
configuration property for LDAP Connection Handler objects resulted in a single request handler being unable to acknowledge incoming client requests for long-running TLS negotiations.
Fixed the check-replication-domains
tool requirements
Fixed DS-47655
Fixed the check-replication-domains
tool so that the --serverRoot
argument is no longer required, and it defaults to the server’s root directory.
Fixed a missing changes error when performing replication
Fixed DS-47289 PingDirectory
Fixed a possible NullPointerException
replication error that occurred when missing changes were found for a replica, but that replica did not exist on all servers.
Fixed an issue with account lockout
Fixed DS-47035 PingDirectory
Fixed an issue that could prevent an unsuccessful bind attempt from being properly counted toward account lockout for a user. If the user’s account had been temporarily locked as a result of too many failed authentication attempts, and if the first bind attempt after that temporary lockout period had elapsed was also unsuccessful, then the act of clearing the elapsed temporary lockout prevented the new failure from being properly recorded.
Fixed the server’s handling of alerts or alarms without configuration
Fixed DS-47455
Fixed a NullPointerException
error where an alert or alarm was raised and one or more of the alert handlers was not configured. This most commonly happened when the server was being stopped.
Fixed the formatting of Generic JDC sync pipe destination attributes
Fixed DS-47918 PingDataSync
We fixed an issue where, when using the create-sync-pipe-config
command, the correlated attributes for Generic JDBC sync pipe destinations were a single string value. The attributes are now correctly split by commas.
Fixed an issue with syncing to Active Directory
Fixed DS-48151 PingDataSync
Fixed an issue where syncing to an Active Directory sync destination could result in the destination rejecting operations if a DN map was not configured on the sync class, and if the operations included modifications to the unicodePwd
attribute.
Fixed an issue with synchronizing the enabled
attribute in a PingOne destination
Fixed DS-47905 PingDataSync
Fixed an issue with synchronizing the enabled
attribute of a user in a PingOne destination. This issue only occurred when attempting to enable or disable a user in PingOne from the source server.
To create an attribute mapping that will modify the enablement status of a user in PingOne, use the dsconfig
tool to create a constructed attribute mapping of the following form. This will ensure that the enabled
attribute will always have a well-defined value, even if the source attribute is not present on an entry in the source server.
dsconfig create-attribute-mapping --type constructed --map-name mapName --mapping-name enabled --set conditional-value-pattern:'(sourceAttribute=) : {sourceAttribute}' --set conditional-value-pattern:'(!(sourceAttribute=)) : true'
Fixed an issue with the manage-topology add-server
command
Fixed DS-45527 PingDataSync
Fixed an issue where a NullPointerException
would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server
.
Fixed issue with reported availability of backends
Fixed DS-48040 PingDirectoryProxy
Fixed an issue where Proxy would not accurately report the availability of backends added through automatic backend discovery.
Support for the HashiCorp Vault secrets engine
Issue DS-49305 PingDirectory
Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine. Learn more about KV version 1 in the Vault KV secrets engine documentation.