PingDirectory

Release Notes

Unless otherwise noted, all of the following enhancements, known issues, and resolved issues apply to the PingDirectory server, the PingDirectoryProxy server, and the PingDataSync server. Updated July 31, 2024.

PingDirectory suite of products 10.1.0.2 (September 2024)

Changed replication to prevent lockdown for missing changes from obsolete replicas

Improved DS-49070 PingDirectory

Changed replication behavior to prevent server lockdown for missing changes due to obsolete replicas. This change affects the following scenarios where, previously, these types of missing changes triggered lockdowns:

  • The replication-purge-obsolete-replicas global configuration property is set to false.

  • Not all servers in the topology support configurable missing changes.

  • The remote server indicates lockdown for replicas that are actually obsolete.

Made it easier to upgrade replicated servers to version 10.1.0.2 or later

Improved DS-48798, DS-49090 PingDirectory

When upgrading a pre-9.2 PingDirectory server in a replicated topology to version 10.1.0.2 or later, the update tool will automatically set replication-purge-obsolete-replicas to false for that server, if not already explicitly configured.

This change helps avoid unintended consequences when upgrading a pre-9.2 replicated server, as the replication-purge-obsolete-replicas configuration property has a value of true by default in version 9.2.

After upgrade, the update tool also displays a message with more information:

In the 9.2.0.0 release, the implicit default value for the 'replication-purge-obsolete-replicas'
global configuration property changed from 'false' to 'true'. However, it should generally only
be set to true if all servers in the topology are at version 9.2.0.0 or later. Because this server
is being updated from a pre-9.2.0.0 version, it is possible that there are still other pre-9.2.0.0
servers in the topology. As such, the 'replication-purge-obsolete-replicas' property will be explicitly
set to false for this server if it was not explicitly set. Once you have completed the upgrade across all
servers in the topology so that there are no more pre-9.2.0.0 replicas, consider manually setting this
property to 'true' on all servers.

Fixed a missing replication error message

Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where dsreplication enable wouldn’t print error information if the tool failed to establish a connection to a source or target server.

Fixed a config-diff error

Fixed DS-49071 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where config-diff would result in an Unknown property error when comparing configuration objects of different types.

PingDirectory suite of products 10.1.0.0 (June 2024)

Fixed a PingDirectoryProxy authentication issue

Security DS-48028 PingDirectoryProxy

Fixed an issue that could have allowed clients attempting to authenticate through the PingDirectoryProxy server to obtain more information in the bind response than would have been allowed if the request had been sent directly to a PingDirectory server.

Added presence component support for composite index filter patterns

New DS-18120 PingDirectory

Added the ability to use presence components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing presence attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern. Learn more about Composite index filter patterns.

Added static equality support for composite index filter patterns

New DS-18120 PingDirectory

Added the ability to use equality components with static values in composite index filter patterns, which can be useful in cases where you want to index specific attribute values that are present in a large number of entries. The index filter pattern can either be a simple static equality component, an AND filter with multiple static equality components, or an AND filter with static equality components combined with other supported filter pattern components.

Added approximate matching support for composite index filter patterns

New DS-48631 PingDirectory

Added the ability to use approximate matching components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing approximate matching attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern.

Added support for localized matching in searches

New DS-48630 PingDirectory

Added support for several collation matching rules, which allow clients to use extensible match filters to better search for entries with non-English values. Learn more about Localization of searches with collation matching.

Added a repair tool for broken trust in replicated topologies

New DS-48752 PingDirectory

Added a tool to repair broken listener certificate trust in replicated topologies. To reduce troubleshooting and speed up the repair of broken subtree mirroring in a replicated topology where listener certificates have fallen out of trust, you can use the repair-topology-listener-certificates tool. Learn more about Repairing broken listener certificate trust in replication.

This tool is not an alternative to using the replace-certificates tool when changing listener certificates normally and can only be used to address issues that arise from unsuccessful certificate updates in the topology registry.

Added the ability to compare LDAP schemas between servers

New DS-47930 PingDirectory, PingDirectoryProxy

Added the compare-ldap-schemas tool to identify differences between the schemas of two LDAP servers.

Added a configurable limit for subtree modification

New DS-47316 PingDirectory

Added the subtree-modify-dn-size-limit configuration property for local DB backends. By default, the server now rejects modify DN operations in which the target entry has more than 100 subordinate entries, which can help protect against inadvertent and potentially expensive subtree moves or renames.

With this property, subtree modify DN operations can be completely disabled, limited to subtrees of a specified maximum size, or allowed for subtrees of any size.

Added client connection info in request-type access logging

New DS-48614 PingDirectory

Added the include-connection-details-in-request-messages property to allow you to add details about client connections in request-type access log messages. The property is disabled by default. Learn more about Adding connection information to request-type log messages.

Added the ability to exclude error log messages

New DS-48581 PingDirectory, PingDirectoryProxy, PingDataSync

Added the ability to exclude specific error log messages to help simplify server administration. You can configure several criteria to determine which messages to exclude. Learn more about Excluding specific log messages.

Added boolean attribute support for Prometheus metrics

New DS-47286 PingDirectory

Added support for boolean attributes in Prometheus monitor metrics. These metrics can be used for monitor attributes that have values such as true, false, enabled, disabled, yes, no, on, off, 1, or 0. The server sends a gauge metric to Prometheus with a value of 1 or 0 to represent these values. Learn more about Customizing published metrics.

Added obfuscation for sensitive Kafka values

New DS-48216 PingDataSync

Added the sensitive-kafka-producer-property configuration object to enable you to obscure sensitive producer property values, such as keys or passwords. Learn more about Obscuring sensitive producer property values.

Added support for PKCS11 key wrapping transformations

New DS-48514 PingDirectory

For environments that require specific key wrapping transformations, we added the ability to use dsconfig to update the key-wrapping-transformation property for PingDirectory PKCS11 cipher stream providers.

Added a password verification extended operation

New DS-48662 PingDirectory, PingDirectoryProxy

Added support for an extended operation to verify passwords, which can be used to determine whether a specified password is correct for a given user without performing any other password policy processing. Support for this operation is disabled by default. Learn more about The verify password extended operation.

Added support for synchronizing account lock statuses from PingOne

Improved DS-47933 PingDataSync

Increased the consistency of enterprise-wide user statuses by adding support for synchronizing account lock status events from a PingOne source. Learn more about Synchronizing PingOne account status with PingDirectory.

Enabled candidate set caching to improve indexed search performance

Improved DS-48530 PingDirectory

Added a configuration property that enables you to cache the candidate set for indexed search requests that include the simple paged results request control. By default, the server recomputes the candidate set for each page of results retrieved from the server. With caching enabled, the server can reuse the same candidate set across all pages without needing to recompute it each time.

Reduced the performance impact of exploded index cleanup processing

Improved DS-48672 PingDirectory

Reduced the performance impact of the background cleanup processing that occurs when an exploded index key exceeds the index entry limit.

Previously, performance of other write operations had been substantially degraded while the cleanup was in progress and, under certain circumstances, could have caused the server to appear unresponsive. Now, the background cleanup processing might take significantly longer but has much less impact on other operations while that cleanup is in progress.

Increased the speed of search results

Improved DS-48075 PingDirectory

Updated the server to allow it to start returning matching entries more quickly and with reduced memory consumption when processing a search request that can be perfectly satisfied by a single composite index key.

Increased the server startup speed

Improved DS-48869 PingDirectory, PingDirectoryProxy, PingDataSync

Changed the default behavior of the interactive setup to not prime the database by preloading its contents.

Increased throughput in backend DB environments

Improved DS-48827 PingDirectory

Increased write throughput and significantly reduced response time outliers in backend DB environments.

Improved performance for servers with large configuration archives

Improved DS-48875 PingDirectory, PingDirectoryProxy, PingDataSync

Changed the configuration archive to retain a maximum of 100 previous configurations by default to alleviate the performance impact of large archives.

Improved server guidance around attribute and composite indexes

Improved DS-48670, DS-5357 PingDirectory

Updated the server to raise an alert or log a warning message when attribute index entry limits are set too high and to recommend the use of composite indexes instead. High index entry limits can lead to performance issues for attribute indexes, and composite indexes offer much better performance and scalability for index keys that match a large number of entries.

Reduced memory pressure for dynamic group caching

Improved DS-44929 PingDirectory

Reduced the amount of memory needed to cache information about dynamic groups.

Enabled data imports to ignore duplicate attribute values

Improved DS-48603 PingDirectory

Updated the import-ldif tool to add an --ignoreDuplicateAttributeValues argument. By default, the tool rejects any entries that contain duplicate values within the same attribute, but this new argument causes it to behave as if each value had only been provided once.

Enhanced the configurability of ACI rights for adding entries

Improved DS-48516 PingDirectory

Added the evaluate-target-attribute-rights-for-add-operations configuration property to the access control handler to correct a behavior where the bind user required an allow add ACI for only one attribute of an entry to add the entry.

With this property enabled, the bind user must have an allow add ACI for all attributes of an entry to add the entry. To avoid changing existing functionality, evaluate-target-attribute-rights-for-add-operations is disabled by default. Learn more about Changing the allow add ACI behavior for entries.

Increased replication speed

Improved DS-48826 PingDirectory

Increased throughput for replicated operations.

Made schema replication more efficient

Improved DS-48343 PingDirectory

Made schema replication more efficient by not sending, and by not applying, update messages that don’t need to be applied. This is done by calculating the generation ID correctly, setting replication operational attributes in the schema backend, and by noting the changes most recently applied in the replicationChanges backend.

Improved obsolete replica logic

Improved DS-48800 PingDirectory

Improve obsolete replica logic so that replication more accurately determines if a replica is obsolete.

Increased the efficiency of replication backlog health checks

Improved DS-48552 PingDirectoryProxy

Made the server health check for the replication backlog more efficient.

Reduced the size of replication monitor messages

Improved DS-48058 PingDirectory

To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.

Reduced the retrieval time for the percentage of undeletable files

Improved DS-45172 PingDirectory

Used caching to speed up the Database Environment monitor entry retrieval of the percentage of undeletable database files.

Expanded the controls for export-reversible-passwords

Improved DS-48022 PingDirectory

Updated the export-reversible-passwords tool to allow you to specify base DNs for entries to include in or exclude from the export.

Made it easier to upgrade the Password Sync Agent

Improved DS-17945, DS-48793 PingDataSync

Made it easier to install and upgrade the Password Sync Agent by clarifying and expanding the documentation.

Enhanced debug support for CLI tools

Improved DS-48239 PingDirectory, PingDirectoryProxy, PingDataSync

Added debug logging support to a number of command-line tools. Use the --help-debug argument to see the relevant arguments.

Added a timeout for long-running exec alert commands

Improved DS-48724 PingDirectory

Added a timeout feature that automatically terminates the execution of a long-running command or script initiated by the exec alert handler. The command-timeout attribute controls the time limit and has a default value of 1 hour. To disable this timeout, you can change the command-timeout value to 0 s. Learn more about Changing the timeout for an exec alert handler.

Enabled expensive operations access logging by default

Improved DS-48856 PingDirectory, PingDirectoryProxy, PingDataSync

Made a configuration change to have the expensive operations access logger enabled by default. Any operations that take at least one second to complete will be logged to the logs/expensive-ops file.

Added cipher re-initialization logic for performance improvement

Improved DS-48893 PingDirectory

Added the always-reinitialize-cached-cipher-instances configuration property to specify whether ciphers retrieved from an internal cache should always be re-initialized using Cipher.init() before re-use, or whether re-initialization can be skipped if the cipher has not been used to encrypt or decrypt data since a previous call to Cipher.init() or Cipher.doFinal().

This new property defaults to true, unless the server is running in FIPS 140-2-compliant mode. Skipping unnecessary re-initialization of cached ciphers results in greatly improved performance for implementations such as BCFIPS AES/CBC/PKCs5Padding.

Fixed an issue with inconsistency in paged search results

Fixed DS-46808 PingDirectory, PingDirectoryProxy

Fixed an issue where PingDirectoryProxy could have returned an inconsistent number of entries for paged search requests. Now, to ensure consistency in the returned entries, PingDirectoryProxy sends each paged search request to one server.

Fixed an encoding issue with UTF-8 in URI search filters

Fixed DS-48300 PingDirectory, PingDataSync

Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.

Fixed an issue with syncing modified PingOne attributes

Fixed DS-48669 PingDataSync

Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only resulted in changed attributes not being properly synced over.

Fixed an issue with VLV indexes and extensible match filters

Fixed DS-48026 PingDirectory

Fixed an issue that could have prevented the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch or relativeTimeExtensibleMatch matching rules.

Fixed an issue with inconsistent entryUUID values across servers

Fixed DS-48678, DS-48720 PingDirectory

Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID values for the same entry on different servers.

Fixed an issue with attribute value duplication

Fixed DS-48585 PingDirectory

Fixed an issue where replace operations that targeted attributes with subordinate types would cause the subordinate attribute values to be duplicated.

Fixed a replication issue with an Invalid host error

Fixed DS-48311 PingDirectory

Fixed an issue where disabling replication with a missing hostname sometimes caused dsreplication status to fail with an Invalid host error.

Fixed a configuration change issue when replacing profiles

Fixed DS-45783 PingDirectory, PingDirectoryProxy, PingDataSync

Resolved an issue where running the manage-profile replace-profile command could cause dsconfig changes to be made out of order.

Fixed an issue with an encryption alarm

Fixed DS-46533 PingDirectory

Fixed an issue where the Strong Encryption Not Available Gauge had a value of INDETERMINATE and showed an alarm, even when the JVM supported strong encryption. Also changed the name of this gauge to Strong Encryption Available to avoid confusion in the event of an alarm being raised.

Fixed an issue with the PSA updating the wrong entries

Fixed DS-48358 PingDataSync

Fixed an issue where the PSA could update incorrect entries upon a password change if there were users with the same sAMAccountName in a forest.

Fixed an issue with entry modification in replication

Fixed DS-48491 PingDirectory

Fixed an issue that could prevent a modify request from adding real attribute values to a replicated entry that already had one or more virtual values for that attribute.

Fixed an issue with indexing entries while debugging

Fixed DS-48723 PingDirectory

Fixed an issue where an untrusted composite index would prevent entries matching that index from being added or modified if a debug log publisher was enabled for the composite index.

Fixed an error message in the Delegated Admin report

Fixed DS-48774 PingDirectory, PingDirectoryProxy

Removed a stack trace from the error message returned when generating a Delegated Admin report with an invalid SCIM filter.

Fixed a null pointer exception in replication

Fixed DS-48796 PingDirectory

Fixed an NPE error that could occur when running the dsreplication enable command in interactive mode.

Fixed an issue with installing PingDirectory in FIPS mode

Fixed DS-48834 PingDirectory

Resolved an issue where installing the PingDirectory server in FIPS-compliant mode would sometimes fail with an error stating that a configuration file entry had the same DN as another entry already read from that file.

Fixed DS-48897 PingDirectory

Fixed a rare issue where the server could have experienced an IllegalArgumentException on startup due to a negative sleep value when one or more replication servers wasn’t online.

Support for HashiCorp Vault password storage schemes

Issue DS-49305 PingDirectory

Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine for password storage schemes. Learn more about KV version 1 in the Vault KV secrets engine documentation.

PingDirectory suite of products 10.0.0.4 (October 2024)

Changed replication to prevent lockdown for missing changes from obsolete replicas

Improved DS-49070 PingDirectory

Changed replication behavior to prevent server lockdown for missing changes due to obsolete replicas. This change affects the following scenarios where, previously, these types of missing changes triggered lockdowns:

  • The replication-purge-obsolete-replicas global configuration property is set to false.

  • Not all servers in the topology support configurable missing changes.

  • The remote server indicates lockdown for replicas that are actually obsolete.

Made it easier to upgrade replicated servers to version 10.0.0.4 or later

Improved DS-48798, DS-49090 PingDirectory

When upgrading a pre-9.2 PingDirectory server in a replicated topology to version 10.0.0.4 or later, the update tool will automatically set replication-purge-obsolete-replicas to false for that server, if not already explicitly configured.

This change helps avoid unintended consequences when upgrading a pre-9.2 replicated server, as the replication-purge-obsolete-replicas configuration property has a value of true by default in version 9.2.

After upgrade, the update tool also displays a message with more information:

In the 9.2.0.0 release, the implicit default value for the 'replication-purge-obsolete-replicas'
global configuration property changed from 'false' to 'true'. However, it should generally only
be set to true if all servers in the topology are at version 9.2.0.0 or later. Because this server
is being updated from a pre-9.2.0.0 version, it is possible that there are still other pre-9.2.0.0
servers in the topology. As such, the 'replication-purge-obsolete-replicas' property will be explicitly
set to false for this server if it was not explicitly set. Once you have completed the upgrade across all
servers in the topology so that there are no more pre-9.2.0.0 replicas, consider manually setting this
property to 'true' on all servers.

Reduced the retrieval time for the percentage of undeletable files

Improved DS-45172 PingDirectory

Used caching to speed up the retrieval of the percentage of undeletable database files for the Database Environment monitor entry.

Fixed a config-diff error

Fixed DS-49071 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where config-diff would result in an Unknown property error when comparing configuration objects of different types.

Fixed a server startup issue

Fixed DS-49121 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue that could prevent the server from starting when configured to use a third-party key manager provider created using the Server SDK.

Removed suppression messages for disabled alerts

Fixed DS-49119 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where alert types that were disabled would still output suppression messages.

Changed the REST API to use alternate authorization IDs

Fixed DS-49195 PingDirectoryProxy

Fixed an issue where the Directory REST API didn’t use alternate authorization identities in entry-balanced proxy environments.

PingDirectory suite of products 10.0.0.3 (July 2024)

Increased replication speed

Improved DS-48826 PingDirectory

Increased throughput for replicated operations.

Reduced the size of replication monitor messages

Improved DS-48058 PingDirectory

To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.

Supplied missing replication error information

Fixed DS-48785 PingDirectory, PingDirectoryProxy, PingDataSync

Fixed an issue where dsreplication enable didn’t print error information if the tool failed to establish a connection to a source or target server.

Fixed a configuration change issue when replacing profiles

Fixed DS-45783 PingDirectory, PingDirectoryProxy, PingDataSync

Resolved an issue where running the manage-profile replace-profile command could cause dsconfig changes to be made out of order.

Fixed an issue with syncing modified PingOne attributes

Fixed DS-48669 PingDataSync

Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only resulted in changed attributes not being properly synced over.

Fixed an issue with inconsistent index metadata

Fixed DS-48969 PingDirectory

Fixed an issue that could cause an inconsistency in the metadata for a composite index record. This inconsistency could cause:

  • Validator error messages in the server’s error log

  • Error responses to some server requests

  • Failure to bring the affected backend online (rare)

In addition, the server now has added resiliency against these kinds of issues, with a better ability to identify the correct result set and notify administrators of the issue.

Fixed a null pointer exception in replication

Fixed DS-48796 PingDirectory

Fixed an NPE error that could occur when running the dsreplication enable command in interactive mode.

Fixed an issue with inconsistent entryUUID values across servers

Fixed DS-48678, DS-48720 PingDirectory

Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID values for the same entry on different servers.

Fixed an issue with VLV indexes and extensible match filters

Fixed DS-48026 PingDirectory

Fixed an issue that could prevent the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch or relativeTimeExtensibleMatch matching rules.

PingDirectory suite of products 10.0.0.2 (March 2024)

Added logging history for the setup tool

Improved DS-47831 PingDirectory

A copy of the setup script output is now saved to an archive file in the /history directory. This should help with troubleshooting installations where multiple server images have been extracted on top of each other and setup has been run multiple times.

Fixed an encoding issue with UTF-8 in URI search filters

Fixed DS-48300 PingDirectory, PingDataSync

Fixed an issue where PingDataSync couldn’t properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.

Fixed an issue with attribute duplication

Fixed DS-48585 PingDirectory

Fixed an issue where replace operations that target attributes with subordinate types would cause the subordinate attribute values to be duplicated.

PingDirectory suite of products 10.0.0.1 (January 2024)

Fixed a memory issue introduced in 10.0 that could have caused the server to crash

Fixed DS-48599 PingDirectory

We fixed an uncommon issue that was causing memory usage to spike, possibly crashing the PingDirectory server.

With this issue present, when clients performed atypical modify operations, they might have populated entries with duplicate attribute values. If clients repeated these modifications, over time, the duplicate attribute values could have caused the server to consume a substantial amount of memory, which might have eventually caused the server to shut down with an out-of-memory error.

PingDirectory suite of products 10.0.0.0 (December 2023)

What’s new in the PingDirectory 10.0 suite of products?

New

PingDirectory
  • Historically, LDAP servers favor data integrity over resiliency. However, given the growth in customer topologies, there is a strong requirement for maintaining production server uptimes to meet customer expectations. In this environment, servers can be removed from the topology frequently, and if the server is down longer than the configured replication purge delay, problems could arise once the server is brought back online. In this release, a new feature allows you to configure the level of availability when encountering this issue during topology management.

  • Static groups, which are the simplest and most commonly used type of group, explicitly list the DNs of group members. Server performance when adding or removing members from a static group depends partially on the group size itself, but we have identified a number of further inefficiencies in how the server handles static group membership changes. This release includes changes to improve performance when updating static groups.

    This release also introduces a new group type: inverted static groups. As with traditional static groups, inverted static group membership is explicitly defined rather than automatically determined. However, instead of storing the entire list of members in the group entry, each user entry lists the set of inverted static groups in which that user is a member. Inverted static groups with a large number of members can be more efficient to maintain than traditional static groups, because the change needed to add or remove a user only requires updating the user entry, which is not affected by the number of members in the group. The server also provides an optional plugin that allows an inverted static group to be updated as if it were a traditional static group, intercepting attempts to alter the membership attribute in the group entry itself and making the corresponding changes in user entries instead.

  • PingDirectory allows clients to interact with the server using a REST API over HTTP as an alternative to LDAP. Recent updates to the Directory REST API, including the addition of support for controls and select extended operations, have improved feature parity between the REST-based and LDAP-based interfaces, creating a more robust experience for developers using the REST API.

    While it is possible to authorize individual requests using either HTTP basic authentication (using the DN and password of the target user) or with an OAuth 2 access token obtained through another service, the Directory REST API didn’t provide a fine-grained way of verifying user credentials. This release introduces a new authenticate endpoint, which provides a way for Directory REST API clients to verify user credentials. This enables you to better differentiate authentication failures from authorization failures, and to obtain an access token to use in authorizing subsequent requests as a specific user. Users can be identified with either a DN or a username, and the credentials may include a static password on its own or in conjunction with a delivered one-time password, a time-based one-time password, or a one-time password generated by a YubiKey device.

  • PingDirectory has always offered support for defining deprecated password storage schemes. If a user successfully authenticates and provides the server their clear-text password, and if their password is currently encoded with an undesirable scheme, the server can automatically re-encode their password using a more desirable scheme. This release expands on this functionality by making it possible to re-encode passwords if the configuration of the underlying scheme has changed in a way that affects the scheme’s stored representation.

    For example, if a user’s password is encoded using the PBKDF2 scheme, the server can now automatically re-encode the password if their stored password uses a digest algorithm, iteration count, salt length, or derived key length that doesn’t match the current configuration of that scheme. PingDirectory has also long supported the Pwned Passwords service, rejecting attempts to set passwords that are known to have been compromised. In the past, interaction with the Pwned Passwords service used a hard-coded timeout of 30 seconds in case the service became unreachable or unresponsive. You can now customize that timeout.

  • PingDirectory uses the Berkeley DB Java Edition to store its data, and this database library offers support for caching some or all of the data in memory for faster access. PingDirectory also allows administrators to configure separate backends to hold different portions of the DIT. Previously, the server maintained a separate database cache for each backend, requiring the administrator to adjust the percentage of the JVM’s memory that each backend is allowed to consume. This release now enables you to share a common database cache across all backends. Although this capability is disabled by default, it can simplify the server configuration by only requiring administrators to specify the total percentage of JVM memory to use for caching, without needing to configure caching separately for each backend.

  • Amazon’s Simple Storage Service (S3) is a popular cloud-based data storage service that can be used as a convenient off-site backup mechanism. In the past, some PingDirectory server administrators have chosen to manually copy certain types of files (for example, LDIF exports or rotated log files) to an S3 bucket as an additional layer of safety in their disaster recovery strategy. This release introduces direct support for using the S3 service as a way of backing up LDIF exports and log files.

    This release offers support for post-LDIF-export task processors. This enables you to automatically perform additional processing after successfully completing an LDIF export, including exports created as part of a recurring task. We have included an implementation that can copy the resulting export file to a specified S3 bucket for safekeeping, and it can automatically remove older export files from that bucket based on the number or age of files in that bucket. It is also possible to use the Server SDK to develop custom post-LDIF-export task processor implementations to perform other kinds of processing after an export completes.

This release offers a new log file rotation listener that can automatically copy log files to a specified S3 bucket as soon as they have been rotated out of place. This support is available for most types of log files that the server can generate, and it also supports automatic retention based on the number or age of the files in the bucket. The server now includes a new amazon-s3-client command-line tool that can be used to manually interact with the S3 service. This tool can be used to manually manage buckets and files contained in the S3 service, including uploading files to or downloading files from a specified bucket.

  • This release includes changes to dramatically improve performance when creating a backup, restoring a backup, or performing online replica initialization.

Fixed a security issue

Security DS-47632 PingDirectory, Delegated Admin

Fixed a security issue that could potentially affect customers using Delegated Admin. Customers are advised to apply a maintenance patch or upgrade to the latest supported version of the PingDirectory server. The Delegated Admin application is unaffected and does not require updating. Additional details are provided in SECADV039 (requires sign-on).

Added an amazon-s3-client command-line tool

New DS-47965 PingDirectory

Added a new amazon-s3-client command-line tool that can be used to interact with the Amazon AWS Simple Storage Service (S3) service. This tool enables you to list, create, and delete buckets, as well as list, upload, download, and delete files in a specified bucket. This may be useful in deployments where the server is configured to automatically copy rotated log files or exported LDIF files to the S3 service.

Added a request control to Directory REST API

New DS-47899 PingDirectory

Added support for access log field request control in Directory REST API requests.

Added a new /authenticate endpoint to the Directory REST API

New DS-47596 PingDirectory, PingDirectoryProxy

Added an /authenticate endpoint to the Directory REST API that enables users to generate an access token by providing combinations of valid credentials, depending on the authentication type specified in the HTTP request body. The supported authentication types are:

  • password

  • passwordPlusTOTP

  • passwordPlusDeliveredOTP

  • passwordPlusYubiKeyOTP

For more information on the /authenticate endpoint, see Managing the Directory REST API.

Added five new Directory REST API endpoints to support the /authenticate endpoint

New DS-47641, DS-47642, DS-47644, DS-47645, DS-47646, DS-47643, DS-47648 PingDirectory

Added five new Directory REST API endpoints to support the new /authenticate endpoint. These endpoints enable users to interact with supporting services that facilitate the creation, delivery, and revocation of one-time passwords (OTP) and time-based one-time passwords (TOTP), which are required to perform authentication operations with the API. These endpoints include:

  • /directory/v1/{dn}/generateTOTPSharedSecret

  • /directory/v1/{dn}/revokeTOTPSharedSecret

  • /directory/v1/deliverOneTimePassword

  • /directory/v1/{dn}/registerYubiKeyOTPDevice

  • /directory/v1/{dn}/derigesterYubiKeyOTPDevice

For more information on these endpoints, see Managing the Directory REST API.

Added support for the 2b password storage variant

New DS-48119 PingDirectory

Updated the bcrypt password storage scheme to include support for the 2b variant in addition to the existing 2y, 2a, and 2x variants.

Added support for post-LDIF-export task processors

New DS-47420 PingDirectory

Added support for post-LDIF-export task processors to use in performing custom processing whenever an LDIF export task (including those invoked as part of a recurring task) successfully completes the export.

These processors include an Upload to S3 processor, which can be used to upload the resulting LDIF file to a specified Amazon S3 bucket. You can also use the Server SDK to create custom post-LDIF-export task processors. For more information, see Performing post-LDIF-export task processing.

Added support for inverted static groups

New DS-46026 PingDirectory

Added support for inverted static groups, which operate like traditional static groups in that membership is explicitly specified rather than dynamically determined, but where membership information is stored in user entries rather than in the group entry. For groups with a large number of members, inverted static groups may exhibit substantially better performance than traditional static groups.

Although it is not enabled by default, the server also provides a new plugin that makes it possible for clients to interact with inverted static groups in much the same way as they interact with traditional static groups. The plugin will intercept attempts to add or remove member DNs in the group entry itself and will instead cause the corresponding changes to be applied in the member entries. It also provides limited support for interacting with group members in the group entry for search and compare operations as if the member DNs actually existed in the group entries. For more information, see Using inverted static groups.

Added a split-ldif tool

New DS-48018 PingDirectory, PingDirectoryProxy

Added a split-ldif tool that can be used to split an LDIF file into multiple segments, with each having a subset of the entries below a specified base DN, and entries at or above that base DN will be included in all sets. This is primarily intended for splitting a large data set for use in entry balancing, and it offers several algorithms for dividing the entries between segments.

Added a new HTTP Connection configuration property

New DS-48055 PingDirectory

Added a new HTTP Connection configuration property to enable SNI hostname checks, which are now disabled by default.

Added a new configuration property for replication servers

New DS-47888 PingDirectory

Added the include-all-remote-servers-state-in-monitor-message configuration property to control whether replication monitor messages include information about remote servers. By default, the property is set to true so that information about remote servers is sent. Setting the property to false may be helpful in large topologies because the size of monitor messages scales with the number of servers.

Added a new log file rotation listener

New DS-47627

Added a new log file rotation listener that can be used to upload newly rotated log files to a specified Amazon S3 bucket. The listener can remove previously updated log files based on the specified number or age of files to retain.

Added the ability to share a single database cache

New DS-47756 PingDirectory

Added the ability to share a single database cache across all local DB backends. This is an alternative to the default behavior in which each local DB backend maintains its own independent database cache, and it can simplify cache sizing in deployments with multiple local DB backends. This behavior is controlled by two new global configuration properties:

  • use-shared-database-cache-across-all-local-db-backends: Indicates whether to use a shared database cache. If this property is set to true, then all local DB backends will use a shared database cache, and you must set the property to specify the size of that shared cache. If the property is set to false (the default value), then each local DB backend will maintain its own independent database cache with a size specified by the db-cache-percent property configuration property for that backend.

  • shared-local-db-backend-database-cache-percent: Specifies the percentage of the total JVM heap size that will be used for the shared database cache. This property will only be used if the use-shared-database-cache-across-all-local-db-backends property is set to true, in which case the server will ignore the db-cache-percent property in the backend configuration.

If a shared database cache is enabled, the server will expose a Shared Local DB Backend Database Cache monitor entry with information about that shared cache, including how much of the cache is consumed by each of the backends.

Added the re-encode-passwords-on-scheme-config-change property to password policy configuration

New DS-35739 PingDirectory

Added the re-encode-passwords-on-scheme-config-change property to the password policy configuration to indicate if the server should automatically re-encode passwords that are encoded with settings that don’t match the scheme’s current configuration. If a user authenticates with a mechanism that provides their password unencoded, and if the password stored in their entry is encoded with settings that don’t match the current configuration for the associated password storage scheme, then the server now automatically re-encodes their password with the default password storage scheme(s) using the current settings. The following password storage schemes support this functionality: AES256, ARGON2, ARGON2D, ARGON2I, ARGON2ID, BCRYPT, PBKDF2, SCRYPT, SSHA, SSHA256, SSHA384, and SSHA512.

You can also implement this capability for custom password storage schemes developed with the Server SDK.

The ds-pwp-state-json virtual attribute provider has also been updated with a new has-password-encoded-with-non-current-settings field whose value indicates if the user’s password is encoded with settings that don’t match the current configuration, and a new non-current-password-storage-scheme-settings-explanations field that can provide additional details on how the password encoding differs from the current configuration.

Added new arguments to the encrypt-file tool

New DS-47612 PingDirectory

Added a --re-encrypt argument to the encrypt-file tool to read the contents of an existing encrypted file and re-encrypt it with a different encryption settings definition or user-supplied passphrase. If the file is currently encrypted with a user-supplied passphrase, then the --prompt-for-current-passphrase or --current-passphrase-file argument should be used to supply the current encryption passphrase. If the file is currently encrypted with an encryption settings definition, then that definition will automatically be obtained from the encryption settings database.

Added a --find-encrypted-files argument to the encrypt-file tool to identify encrypted files in a specified location on the filesystem. By default, the tool will search for files that are encrypted with any encryption settings definition or a user-supplied passphrase, but it can be used in conjunction with the --encryption-settings-id argument to only identify files that are encrypted with the specified definition.

These new arguments can be useful when migrating away from a former encryption settings definition, particularly if the former definition will eventually be removed from the encryption settings database. If a definition is removed from the encryption settings database, any files encrypted with that definition will no longer be accessible.

Added the replication-missing-changes-policy configuration property

New DS-45452, DS-47383 PingDirectory

Added a replication-missing-changes-policy configuration property for both replication servers and replication domains to control how replication handles missing changes. This property can be used to avoid missing changes lockdown in cases where such lockdown is not beneficial to the server.

When the missing changes policy is modified, connections are restarted so that the missing changes state can be reevaluated. Lockdown mode is not cleared, but may be cleared by running the leave-lockdown-mode tool.

Added support for an access log field request control

New DS-47557 PingDirectory, PingDirectoryProxy

Added support for an access log field request control to specify field names and values that should be included in the access log message for the associated operation.

Added support for a [.codeph]``generate access

                        token`` request control
[.ping_changetype-new]#New#
[.ping_ticket]#DS-47570#
[.ping_product]#{pingdir}, {pdproxy}#

Added support for a generate access token request control that can be included in a bind request to indicate that the server should generate and return an access token in the bind response. That access token may be used in conjunction with the OAUTHBEARER SASL mechanism to authorize subsequent connections by that client. This can be useful in cases where the initial authentication should be performed in a manner that involves single-use credentials like a time-based one time password, a delivered one-time password, or a one-time password generated by a YubiKey device, but the client wishes to establish multiple connections in which the initial credentials cannot be replayed.

Upgraded Jetty

Info DS-48071 PingDirectory

Upgraded Jetty version to 10.0.17.

Removed support for Java 8

Info DS-47558 PingDirectory

Removed support for Java 8 in the PingDirectory server. For more information, see System requirements. For information on upgrading from a PingDirectory instance installed with Java 8, see PingDirectory, PingDirectoryProxy, and PingDataSync.

Removed support for two dsreplication subcommands

Info DS-47916 PingDirectory

Removed support for the deprecated remove-defunct-server and cleanup-local-server dsreplication subcommands. To remove a defunct server from the topology, use the remove-defunct-server command-line tool. To clean up topology references on a server, run remove-defunct-server --performLocalCleanup.

Removed the PingDataMetrics Server

Info DS-46012 PingDataMetrics

PingDataMetrics was previously deprecated and has been removed from this release. For more information about support for versions of PingDirectory containing PingDataMetrics, see Ping Identity’s End-of-Life Policy (sign on required).

To monitor and provide statistics for your PingDirectory suite of products, see Monitoring PingDirectory metrics with Splunk and Monitoring server metrics with Prometheus.

Improved communication with external HTTP services

Improved DS-47454 PingDirectory

Updated the server to allow configuration of connect and response timeouts when communicating with external HTTP services, such as CyberArk Conjur and HashiCorp Vault instances, the Pwned Passwords service, and YubiKey OTP validation servers.

Updated zip compression process

Improved DS-45148 PingDirectory

To improve server performance and prevent invalid block type errors, java.util.zip will now be used instead of com.jcraft.jzlib for zip compression.

Improved how the replication generation ID is calculated

Improved DS-47695 PingDirectory

The replication generation ID, a value used by replication to determine if replicas are compatible and can be replicated, will now be calculated in a way that is independent of the disk order in which the entries are stored. This is helpful when entries are imported into new servers instead of being initialized.

Improved password security when using the Directory REST API

Improved DS-48092 PingDirectory

To increase password security when using the Directory REST API, we improved the sanitization of password-related data in API responses.

Improved server upgrade times

Improved DS-47799 PingDirectory

Improved server upgrade times by streamlining the post-upgrade stability checks.

Improved memory handling for export-ldif and backup tools

Improved DS-44417 PingDirectory

To help avoid excessive memory pressure on a server running multiple processes, we reduced the JVM memory requirements for the export-ldif and backup command-line tools.

Updated the backup tool to include a compression warning

Improved DS-48121 PingDirectory

To help you manage your backup and restore times, the backup tool now displays a warning when you run it with the --compress flag on an encrypted backend.

Updated dsreplication tool to avoid overwrites

Improved DS-47820 PingDirectory

dsreplication commands that produce an error are now archived to avoid being overwritten. In addition, the dsreplication command now logs subcommands in separate files.

Improved performance for backup, restore, and online replica initialization

Improved DS-45157 PingDirectory

Significantly improved the performance times of backup, restore, and online replica initialization processes.

Improved performance of static group updates

Improved DS-47402, DS-47410, DS-47412, DS-47413 PingDirectory

Improved performance when making updates to static groups.

Updated the handling of extraneous data when syncing with Active Directory

Improved DS-46635 PingDataSync

For Active Directory Sync sources, when setting the startpoint to end-of-changelog, extraneous data is no longer sent from the Active Directory server to the Sync server. With this update, setting the startpoint should be faster, particularly for slow networks.

Fixed an issue when initializing subhandlers on startup

Fixed DS-48046 PingDirectory

Fixed an issue where an AggregatePTAhandler’s subhandlers sometimes did not properly initialize on startup and threw a NullPointerException.

Fixed a logging issue when using proxied authorization

Fixed DS-48157 PingDirectory

Fixed an issue where the server did not properly log the alternative authorization DN for multi-update extended operations that used proxied authorization.

Fixed a duplication issue when running dsjavaproperties --initialize

Fixed DS-45206

Fixed an issue where running dsjavaproperties --initialize would append duplicate arguments to common.java-args in the java.properties file.

Fixed an issue with error logging

Fixed DS-48084 PingDirectory

Fixed an issue where a cn=config does not exist error message would appear in the error logs after navigating to the status page of the administrative console.

Fixed an issue with running manage-profile generate-profile on an upgraded instance

Fixed DS-47381

Fixed an issue where running manage-profile generate-profile on an instance that had been upgraded from an earlier version would result in a profile that contained commands that were part of the upgrade, and could not be used to set up new installations.

Fixed an issue with password validation

Fixed DS-47875 PingDirectory

Fixed an issue where the Dictionary password validator would sometimes incorrectly handle dictionary words contained as password substrings.

Fixed an issue that prevented use of the Changelog Password Encryption plugin in replicated environments

Fixed DS-48205 PingDirectory

Fixed an issue where the Changelog Password Encryption plugin would not work properly in a replicated environment if a password was changed with a Password Modify extended operation.

Fixed DS-47821 PingDirectory

Fixed an issue where an ldapsearch for rootDSE did not exclude the baseDNs that were specified in a client connection policy.

Fixed an incorrect help text suggestion when running dsreplication initialize

Fixed DS-47878 PingDirectory

Fixed an issue where help text incorrectly suggested using the --force flag if unable to connect to the server properly when running dsreplication initialize.

Fixed issues with password history

Fixed DS-47798, DS-47898, DS=47924 PingDirectory

Fixed an issue that could prevent the server from properly updating a user’s password history for a password change if the request included the password update behavior request control, indicating that password history violations should be ignored. This control is designed to prevent the server from rejecting an attempt to change a user’s password if the new password is already in the history, but it incorrectly caused the server to skip all password history processing for the update.

Fixed an issue that could cause the server to add two copies of the current password into the password history when setting a new password with the password modify extended operation. This did not affect password changes with a regular LDAP modify operation.

Fixed an issue where the server could incorrectly allow a user to set an empty password in cases where none of the configured password validators would have rejected an empty password.

Fixed the server’s handling of compact values for the ds-cfg-allow-pre-encoded-passwords attribute

Fixed DS-43034, DS-47832 PingDirectory

Fixed a regression that was introduced in the 9.3.0.0 release to allow additional values for the allow-pre-encoded-passwords property in the password policy configuration. This issue only affects password policies stored outside of the server configuration in local DB backends, and only those policies that include the ds-cfg-allow-pre-encoded-passwords attribute.

This fix enables the server to recognize and properly interpret compacted values for the ds-cfg-allow-pre-encoded-passwords attribute when parsing a password policy definition contained in a local DB backend. When the password policy entry is retrieved, the attribute may still appear to have a corrupt value, as the value that is actually stored in the entry would still represent the compacted token rather than the logically equivalent Boolean value. Replacing the value of the ds-cfg-allow-pre-encoded-passwords attribute in affected entries with the appropriate value is the best way to address this issue.

Fixed an issue with replace modifications for attributes

Fixed DS-47975 PingDirectory

Fixed an issue that could prevent replace modifications for attribute types with subordinate types from being properly applied.

Fixed the server’s handling of SCIM patch operations including empty arrays

Fixed DS-47790 PingDirectory

Fixed an issue where the Configuration API treated SCIM patch operations with empty arrays as invalid. Now, the API resets configuration attributes for replace operations with an empty array and ignores add operations with an empty array.

Fixed the server’s handling of search operations

Fixed DS-47585 PingDirectory

Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. The server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys, the allowed time limit could be exceeded in that portion of the processing.

Fixed an issue with encryption settings initialization

Fixed DS-47784 PingDirectory

Fixed an issue where encryption settings were not initialized before initializing password policy components when running remove-defunct-server against servers configured with an AES256 password storage scheme.

Fixed an issue with expensive operation logging

Fixed DS-47614 PingDirectory

Fixed an issue that caused the server to incorrectly include client certificate messages in the expensive operations log.

Fixed an issue with LDAP Connection Handler objects

Fixed DS-46312

Fixed an issue where the absence of the request-handler-per-connection configuration property for LDAP Connection Handler objects resulted in a single request handler being unable to acknowledge incoming client requests for long-running TLS negotiations.

Fixed the check-replication-domains tool requirements

Fixed DS-47655

Fixed the check-replication-domains tool so that the --serverRoot argument is no longer required, and it defaults to the server’s root directory.

Fixed a missing changes error when performing replication

Fixed DS-47289 PingDirectory

Fixed a possible NullPointerException replication error that occurred when missing changes were found for a replica, but that replica did not exist on all servers.

Fixed an issue with account lockout

Fixed DS-47035 PingDirectory

Fixed an issue that could prevent an unsuccessful bind attempt from being properly counted toward account lockout for a user. If the user’s account had been temporarily locked as a result of too many failed authentication attempts, and if the first bind attempt after that temporary lockout period had elapsed was also unsuccessful, then the act of clearing the elapsed temporary lockout prevented the new failure from being properly recorded.

Fixed the server’s handling of alerts or alarms without configuration

Fixed DS-47455

Fixed a NullPointerException error where an alert or alarm was raised and one or more of the alert handlers was not configured. This most commonly happened when the server was being stopped.

Fixed the formatting of Generic JDC sync pipe destination attributes

Fixed DS-47918 PingDataSync

We fixed an issue where, when using the create-sync-pipe-config command, the correlated attributes for Generic JDBC sync pipe destinations were a single string value. The attributes are now correctly split by commas.

Fixed an issue with syncing to Active Directory

Fixed DS-48151 PingDataSync

Fixed an issue where syncing to an Active Directory sync destination could result in the destination rejecting operations if a DN map was not configured on the sync class, and if the operations included modifications to the unicodePwd attribute.

Fixed an issue with synchronizing the enabled attribute in a PingOne destination

Fixed DS-47905 PingDataSync

Fixed an issue with synchronizing the enabled attribute of a user in a PingOne destination. This issue only occurred when attempting to enable or disable a user in PingOne from the source server.

To create an attribute mapping that will modify the enablement status of a user in PingOne, use the dsconfig tool to create a constructed attribute mapping of the following form. This will ensure that the enabled attribute will always have a well-defined value, even if the source attribute is not present on an entry in the source server.

dsconfig create-attribute-mapping --type constructed --map-name mapName --mapping-name enabled --set conditional-value-pattern:'(sourceAttribute=) : {sourceAttribute}' --set conditional-value-pattern:'(!(sourceAttribute=)) : true'

Fixed an issue with the manage-topology add-server command

Fixed DS-45527 PingDataSync

Fixed an issue where a NullPointerException would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

Fixed issue with reported availability of backends

Fixed DS-48040 PingDirectoryProxy

Fixed an issue where Proxy would not accurately report the availability of backends added through automatic backend discovery.

Support for HashiCorp Vault password storage schemes

Issue DS-49305 PingDirectory

Currently, the PingDirectory server only supports version 1 of the HashiCorp Vault KV secrets engine for password storage schemes. Learn more about KV version 1 in the Vault KV secrets engine documentation.

Delegated Admin 5.0 (December 2023)

Fixed an unresponsive Save button

Fixed DS-48349 Delegated Admin

Fixed an issue where the Save button did not respond when editing a user. This issue affected users configured with an auxiliary LDAP object class that required the userPassword attribute.

Previous Releases

For information about enhancements and issues resolved in previous major and minor releases of PingDirectory products, follow the links below to their release notes: