PingDS release notes

Release notes

These release notes cover multiple versions of DS software, starting with version 5.5. They are designed to make it easier to upgrade, especially when you are skipping releases.

Some older DS versions have reached the end of support (EOS) or end of life (EOL). Learn more in Ping Identity Product Support Lifecycle Policy | PingAM, PingDS, PingIDM and IGA. If you are still running an EOS or EOL version, upgrade as soon as possible to an actively maintained version.
DS 7.5.1 (latest)
DS 7.4.3
DS 7.3.5
DS 7.2.5

About DS

PingDS software provides an LDAPv3-compliant directory service, developed for the Java platform, delivering a high-performance, highly available, and secure store for the identities managed by your organization. Read these notes before you install or upgrade PingDS software.

The easy installation process, combined with the power of the Java platform, makes this the simplest and fastest directory service to deploy and manage. PingDS software comes with plenty of tools. PingDS software also offers REST access to directory data over HTTP.

Ping Identity offers training and support subscriptions to help you get the most out of your deployment.

Name changes for ForgeRock products

Product names changed when ForgeRock became part of Ping Identity.

The following name changes have been in effect since early 2024:

Old name New name

ForgeRock Identity Cloud

PingOne Advanced Identity Cloud

ForgeRock Access Management

PingAM

ForgeRock Directory Services

PingDS

ForgeRock Identity Management

PingIDM

ForgeRock Identity Gateway

PingGateway

Learn more about the name changes in New names for ForgeRock products in the Knowledge Base.

Downloads

The BackStage download site provides access to Ping Identity releases.

Latest release Description

DS-7.5.1.zip

Cross-platform distribution of the server software.

Pure Java, high-performance server that can be configured as:

  • An LDAPv3 directory server with the additional capability to serve directory data to REST applications over HTTP.

  • An LDAPv3 directory proxy server providing a single point of access to underlying directory servers.

  • A replication server handling replication traffic with directory servers and with other replication servers, receiving and sending changes to directory data.

Server distributions include command-line tools for installing, configuring, and managing servers. The tools make it possible to script all operations.

By default, this file unpacks into an opendj/ directory.

DS-7.5.1.msi

Microsoft Windows native installer for the server software.

By default, this installs files into a C:\Program Files (x86)\OpenDJ\ directory.

DS_7.5.1-1_all.deb

Server software native packages for Debian and related Linux distributions.

By default, this installs files into an /opt/opendj/ directory.

DS-7.5.1-1.noarch.rpm

Server software native packages for Red Hat and related Linux distributions.

By default, this installs files into an /opt/opendj/ directory.

DS-dsml-servlet-7.5.1.war

Cross-platform DSML gateway web archive.

DS-hdap-servlet-7.5.1.war

Cross-platform HDAP gateway web archive.

DS-rest2ldap-servlet-7.5.1.war

Cross-platform REST to LDAP gateway web archive.

Requirements

Ping Identity supports customers deploying DS in Docker containers and Kubernetes platforms as on bare metal or in virtual machines (VMs), provided you have the requisite skills and follow the hardware and software requirements specified here.

Other versions and alternative environments might work as well. When opening a support ticket for an issue, however, make sure you can reproduce the problem on a combination covered here.

Hardware

Thanks to the underlying Java platform, DS software runs well on a variety of processor architectures. Many directory service deployments meet their service-level agreements without the latest or fastest hardware.

This section covers basic requirements, which might be enough for your deployment.

Before and after deploying in production, test whether the deployment meets your service-level objectives. If performance is acceptable, good.

When you uncover problems, troubleshoot performance issues.

Memory

When installing DS for evaluation, give the server at least 1 GB of available RAM.

For production systems, memory requirements depend on your data and performance expectations.

Required cache

DS must cache the following data in memory:

ACIs

If ACIs make up a significant percentage of the directory data, make sure DS has enough RAM to keep the ACIs cached. This can be the case, for example, in deployments where applications routinely create ACIs programmatically.

Static groups

If you have many static groups, make sure DS has enough RAM to keep them cached. With DS 7.3 and later, you can read group statistics over LDAP or over HTTP.

LDAP subentries

If your deployment has significant numbers of subentries, such as replicated password policies, make sure DS has enough RAM to keep them cached. With DS 7.3 and later, you can read subentry statistics over LDAP or over HTTP.

Argon2

If your deployment relies on the Argon2 password storage scheme, the default settings use less than 1 GB of available RAM.

When you change the Argon2 settings to strengthen the algorithm or to handle more authentications in parallel, increase the memory available to DS.

Database cache

DS caches JE backend data in memory according to the database cache settings.

Make sure DS has enough RAM to cache at least all internal nodes.

Disk space

When installing DS for evaluation, make sure you have 10 GB free disk space for the software and example data.

For installation in production, the more data you have, the more disk space you need:

  • Plan for four times the disk space needed for initial production data in LDIF format.

    Leave space for growth in database size as client applications change and add entries over time. A replicated directory server stores data, indexes for the data, operational attribute data, and historical information for replication.

    DS servers trade disk space for performance and resilience by compacting and purging data.

  • For a better estimate of the required disk space:

    1. Configure DS for production.

    2. Import a known fraction of the initial LDIF.

    3. Simulate realistic traffic to estimate change and growth in directory data.

    4. Extrapolate from the actual space occupied in testing to estimate the disk space required in production.

  • To improve performance, use quality solid state disk drives with fast I/O and high throughput.

CPU architectures

Processor architectures with fast single thread execution help DS deliver the lowest response times. For top-end performance with sub-millisecond response times and thousands of operations per second, the latest x86/x64 architecture chips perform better than others.

  • When deploying DS servers with replication enabled, provision at least two CPU cores per server. In high-volume deployments, provision more cores. Single CPU systems limit server performance.

  • If your deployment relies on CPU-intensive password storage scheme, such as Bcrypt and PBKDF2, provision enough CPU cores per server. When you increase the number of iterations, increase the CPU cores available to DS.

Network

On systems with fast processors and enough memory to cache directory data completely, the network can become a bottleneck. Even if a single 1 Gb Ethernet interface offers plenty of bandwidth to handle your average traffic load, it can be too small for peak traffic loads. Consider using separate interfaces for administrative traffic and for application traffic.

To estimate the network hardware required, calculate the size of the data returned to applications during peak load. For example, if you expect to have a peak load of 100,000 searches per second, each returning a full 8 KB entry, you require a network that can handle 800 MB/sec (3.2 Gb/sec) throughput, not counting other operations, such as replication traffic.

Storage

The directory server does not support network file systems such as NFS for database storage.

Provide sufficient disk space on local storage such as internal disk or an attached disk array.

For a directory server, storage hardware must house both directory data, including historical data for replication, and server logs. On a heavily used server, you might improve performance by putting access logs on dedicated storage.

Storage must keep pace with throughput for write operations. Write throughput can arise from modify, modify DN, add, and delete operations, and from bind operations when a login timestamp is recorded, and when account lockout is configured, for example.

In a replicated topology, a directory server writes entries to disk when they are changed, and a replication server writes changelog entries. The server also records historical information to resolve potential replication conflicts.

For network throughput, base storage throughput required on peak loads rather than average loads.

FQDNs

DS replication requires the use of fully qualified domain names (FQDNs).

Hostnames like localhost or my-laptop.local are acceptable for evaluation.

When setting up and configuring production servers, use FQDNs, and ensure DNS is set up correctly to provide FQDNs.

As a workaround when demonstrating across multiple host systems, you can update the hosts file, /etc/hosts or C:\Windows\System32\drivers\etc\hosts, to specify FQDNs.

Examples in the documentation use the hostname localhost to contact local DS servers. Trust in the examples depends on the use of a deployment ID and password when setting up servers. A server certificate generated from a deployment ID and password has localhost as the default hostname. By using the --hostname localhost option with a DS command-line tool, you simplify the secure connection process. When the tool validates the specified hostname against the hostname in the server certificate, they match. There is no need to add the server’s hostname to the server certificate.

When making a secure connection to a remote server, be sure the FQDN in the --hostname fqdn option matches a valid hostname in the server certificate. If the server certificate is generated with a deployment ID and password, you can easily renew the certificate to change or add a hostname. For examples, refer to Replace a TLS key pair or Generate a key pair (wildcard certificate).

Adapt the examples as necessary when using your own certificates, keys, and PKI.

Clock synchronization

Before using DS replication, set up synchronization between server system clocks.

To keep the system clocks synchronized, use a process that adjusts time to eventual clock consistency, such as ntpd. NTP adjusts the size of a second to move time to eventual clock consistency.

Once you have enabled replication, avoid moving the system clock in large increments, such as more than half a day at a time, or possibly less for systems under high load.

Certificates

For secure network communications with client applications that you do not control, install a properly signed digital certificate that your client applications recognize, such as one that works with your organization’s PKI, or one signed by a recognized CA.

To use the certificate during installation, the certificate must be located in a file-based keystore supported by the JVM (JKS, JCEKS, PKCS#12), or on a PKCS#11 token. To import a signed certificate into the server keystore, use the Java keytool command.

For details, refer to Key management.

HSM

DS 7.2.0 and later supports the standard PKCS#11 interface and uses hardware security modules (HSMs) through Java APIs for PKCS#11. Your HSM and client libraries must support access through standard Java security APIs, such as those following the PKCS#11 standard v2.20 or later. DS servers do not support vendor-specific interfaces.

DS servers use an HSM only to hold asymmetric key pairs and, optionally, CA certificates. DS does not store symmetric (secret) keys on the HSM.

Instead, DS uses a shared master key, which is an asymmetric key pair, to encrypt and decrypt the symmetric keys. DS stores symmetric keys (encrypted) with the data they protect. If you use an HSM for the shared master key, the HSM must share the identical master key with all DS servers in the deployment. Otherwise, DS servers cannot decrypt symmetric keys from another server, and therefore replicas cannot decrypt each other’s data.

Also, if you use an HSM for the shared master key, read the documentation carefully before you install DS. When you set up the server, you must avoid accidentally encrypting data while using the wrong shared master key.

For details, refer to PKCS#11 hardware security module.

Operating systems

DS software is supported on the following operating systems:

Operating system DS 5.5 DS 6.0 DS 6.5 DS 7.0 DS 7.1 DS 7.2 DS 7.3 DS 7.4 DS 7.5

Amazon Linux

2017.03

2, 2017.09

2, 2017.09, 2018.03

2018.03

2, 2018.03

2, 2018.03, 2023(1)

CentOS

6, 7

7, 8(2)

(Not supported)

Debian Linux

(Not supported)

11

Microsoft Windows Server(3)

2008, 2008 R2, 2012, 2012 R2, 2016

2016, 2019

2016, 2019, 2022

Oracle Solaris 10, 11 (SPARC, x64)

(Not supported)

10, 11(4)

(Not supported)

Red Hat Enterprise Linux

6, 7

7, 8(2)

7, 8(2),(5)

7, 8, 9(2),(5)

Rocky Linux

(Not supported)

8.5, 9(2)

9(2)

SuSE

11

12

12, 15

Ubuntu

14.04 LTS, 16.04 LTS

14.04 LTS, 16.04 LTS, 18.04 LTS

18.04 LTS, 20.04 LTS

18.04 LTS, 20.04 LTS, 22.04 LTS

(1) Support for Amazon Linux 2023 in DS 7.4.x starts with 7.4.2. Support for Amazon Linux 2023 in DS 7.3.x starts with 7.3.5.

(2) Write barriers for the default XFS file system are permanently enabled.

(3) PingDS is fully supported on Windows; however, it has been specifically optimized for Linux environments. Customers who require advanced integration with the operating system, including but not limited to service management, DNS, and other system-level functions, will find a Linux-based OS provides a more seamless and robust experience. Therefore, for optimal performance and enhanced integration capabilities, use a Linux-based operating system.

(4) After 5, 6.5.x was the only release to support Solaris.

(5) Red Hat Enterprise Linux 8 and OpenJDK with FIPS mode enabled doesn’t support the PBKDF2WithHmacSHA256 SecretKeyFactory algorithm and is incompatible with DS.

Write barriers (Linux)

Write barriers and journaling mode for Linux file systems help avoid directory database file corruption. They make sure writes to the file system are ordered even after a crash or power failure. Make sure these features are enabled.

Some Linux distributions permanently enable write barriers. There is no administrative action to take.

Other Linux systems leave the decision to you. If your Linux system lets you configure write barriers and journaling mode for the file system, refer to the options for your file system in the mount command manual page for details on enabling them.

Maximum open files

DS servers must open many file descriptors when handling thousands of client connections.

Linux systems often set a limit of 1024 per user. That setting is too low to accept thousands of client connections.

Make sure the server can use at least 64K (65536) file descriptors. For example, when running the server as user opendj on a Linux system that uses /etc/security/limits.conf to set user level limits, set soft and hard limits by adding these lines to the file:

opendj soft nofile 65536
opendj hard nofile 131072

The example above assumes the system has enough file descriptors available overall. Check the Linux system overall maximum as follows:

$ cat /proc/sys/fs/file-max
204252

Maximum watched files

A directory server backend database monitors file events. On Linux systems, backend databases use the inotify API for this purpose. The kernel tunable fs.inotify.max_user_watches indicates the maximum number of files a user can watch with the inotify API.

Make sure this tunable is set to at least 512K:

$ sysctl fs.inotify.max_user_watches
fs.inotify.max_user_watches = 524288

If this tunable is set lower than that, update the /etc/sysctl.conf file to change the setting permanently, and use the sysctl -p command to reload the settings:

$ echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf
[sudo] password for admin:

$ sudo sysctl -p
fs.inotify.max_user_watches = 524288

Antivirus interference

Prevent antivirus and intrusion detection systems from interfering with DS software.

Before using DS software with antivirus or intrusion detection software, consider the following potential problems:

Interference with normal file access

Antivirus and intrusion detection systems that perform virus scanning, sweep scanning, or deep file inspection are not compatible with DS file access, particularly write access.

Antivirus and intrusion detection software have incorrectly marked DS files as suspect to infection, because they misinterpret normal DS processing.

Prevent antivirus and intrusion detection systems from scanning DS files, except these folders:

/path/to/opendj/bat/

Windows command-line tools

/path/to/opendj/bin/

Linux command-line tools

/path/to/opendj/extlib/

Optional additional .jar files used by custom plugins

/path/to/opendj/lib/

Scripts and libraries shipped with DS servers

Port blocking

Antivirus and intrusion detection software can block ports that DS uses to provide directory services.

Make sure that your software does not block the ports that DS software uses. For details, refer to Administrative access.

Negative performance impact

Antivirus software consumes system resources, reducing resources available to other services including DS servers.

Running antivirus software can therefore have a significant negative impact on DS server performance. Make sure that you test and account for the performance impact of running antivirus software before deploying DS software on the same systems.

Java

  • Always use a JVM with the latest security fixes.

  • Make sure you have a required Java environment installed on the system.

    If your default Java environment is not appropriate, use one of the following solutions:

    • Edit the default.java-home setting in the opendj/config/java.properties file.

    • Set OPENDJ_JAVA_HOME to the path to the correct Java environment.

    • Set OPENDJ_JAVA_BIN to the absolute path of the java command.

  • When running the dskeymgr and setup commands, use the same Java environment everywhere in the deployment.

    Due to a change in Java APIs, the same DS deployment ID generates different CA key pairs with Java 11 and Java 17.

DS software is supported on the following Java environments:

Vendor DS 5.5 DS 6.0 DS 6.5 DS 7.0(1) DS 7.1(1) DS 7.2(1) DS 7.3(1) DS 7.4(1) DS 7.5(1)

OpenJDK(2)

8

8, 11(3)

11(3)

11(3), 17(4)

17(5), 21

Oracle Java

(1) DS and the dskeymgr and setup commands require support for the PBKDF2WithHmacSHA256 SecretKeyFactory algorithm. The FIPS settings on some operating systems limit the available algorithms. For example, Red Hat Enterprise Linux 8 and OpenJDK in FIPS mode uses incompatible settings.

(2) DS supports OpenJDK-based distributions, including:

  • AdoptOpenJDK/Eclipse Temurin Java Development Kit (Adoptium)

  • Amazon Corretto

  • Azul Zulu

  • Red Hat OpenJDK

Ping Identity tests most extensively with AdoptOpenJDK/Eclipse Temurin. Ping Identity recommends using the HotSpot JVM.

(3) DS requires Java 11.0.6 or later. Earlier Java 11 updates lack required cryptography fixes.

(4) DS requires Java 17.0.3 or later. Earlier Java 17 updates lack required cryptography fixes.

(5) DS requires Java 17.0.8 or later.

TLS cipher support depends solely on the JVM. For details, refer to TLS settings.

Application containers

The gateway applications support the following web application containers:

Container DS 5.5 DS 6.0 DS 6.5 DS 7.0 DS 7.1 DS 7.2 DS 7.3 DS 7.4 DS 7.5

Apache Tomcat

8.5, 9

IBM WebSphere Liberty

(Not supported)

20.0.0.1

22.0.0.4

JBoss Enterprise Application Platform

(Not supported)

7.2

7.3

7.4

Wildfly

(Not supported)

12, 19

15, 19

15, 26

Kubernetes deployments

Deploying PingDS in Kubernetes poses unique challenges you must navigate carefully. A successful deployment depends on well-prepared teams with the necessary skills and experience. Thorough planning, appropriate recovery strategies, and proper configuration for storage and data replication are all essential for a stable, high-performance deployment.

Your team members must have expertise in DS and in managing stateful applications in Kubernetes, successfully meeting all the challenges described in this section.

Does your team lack expertise in DS, Kubernetes, or the challenges for stateful applications described here? If so, choose a simpler cloud deployment option with less complexity and fewer administrative challenges, such as using PingOne Advanced Identity Cloud or deploying DS in VMs.

A stateful database in a stateless environment

Kubernetes is designed to serve ephemeral and stateless workloads it can easily spin up, duplicate, and destroy. DS is a distributed database—​a very stateful application—​that relies heavily on persistent data storage.

Make sure you properly manage replicas and their data to keep the service running across pod restarts and failures.

High availability (HA)

  • Spread replicas across physical nodes.

    Use anti-affinity to ensure Kubernetes schedules DS pods on different nodes. Anti-affinity helps prevent a single point of failure where all replicas in a region run on the same physical system and all crash together when that system fails.

  • Spread replicas across availability zones.

    In multi-zone deployments, use anti-affinity to schedule replicas in different availability zones or failure domains. This improves HA and facilitates disaster recovery. Failures in one zone don’t bring down the entire service.

Fault tolerance and resilience

  • Mitigate hardware, network, and node failures.

    Use anti-affinity to make Kubernetes schedule DS pods on different nodes. When the hardware fails, the network goes out, or a node crashes, it should affect one replica at a time.

    Beyond HA, keeping DS pods on separate nodes prevents competition for system resources.

Costs of anti-affinity

  • Higher resource demands.

    Anti-affinity requires additional nodes to satisfy the scheduling constraints. If the Kubernetes cluster doesn’t have enough nodes, pods remain unscheduled.

    Don’t let DS pods remain unscheduled. DS requires multiple replicas to ensure HA of the identity data storage layer.

  • Workload balancing.

    Anti-affinity rules can lead to underutilized nodes when the cluster can’t balance workloads effectively. Tune your anti-affinity rules for both availability and efficient use of resources.

  • Configuration complexity.

    Configuring anti-affinity policies requires careful planning. A policy that is too strict leads to scheduling failures. A policy that is too lenient defeats the purpose of fault tolerance.

    Anti-affinity prevents pods from being scheduled on the same node, but it can require affinity rules to ensure Kubernetes schedules pods in certain zones or regions. This dual configuration of affinity and anti-affinity adds complexity to the scheduling strategy.

  • Pod scheduling complexity.

    When a node fails, Kubernetes attempts to reschedule the pod on another node that satisfies the anti-affinity rules. If no suitable nodes are available, the pod can remain unscheduled for an extended period, affecting HA.

Persistent storage management

It is a major challenge to ensure Kubernetes stores data reliably across node restarts, pod failures, and rescheduling.

Data persistence

Kubernetes uses PersistentVolumeClaims (PVCs) and PersistentVolumes (PVs) for storage. Managing these storage resources, especially across different environments or cloud providers, adds significant complexity.

Storage I/O performance

The performance of the underlying storage system varies depending on the Kubernetes deployment. Ensuring consistent I/O performance for DS is more difficult in containerized environments.

Storage abstraction

While Kubernetes abstracts storage, DS requires low-latency, high-performance access to storage. The additional layers of abstraction can introduce latency, affecting the overall performance of DS.

Networking and performance

Network latency

Kubernetes networks introduce additional latency between DS nodes, especially in multi-node or multi-region deployments. This can negatively affect replication performance.

Load balancing

Kubernetes networking and load balancers optimize for stateless services.

DS requires stable, long-lived TCP connections across all DS servers to maintain a stable, shared state. For multi-cluster deployments, you must adapt Kubernetes networking and load balancing settings to ensure effective replication.

Data consistency and high availability

Replication and consistency

Ensuring data consistency across DS replicas can be challenging in distributed environments. Kubernetes can reschedule pods across different nodes or regions, potentially leading to inconsistencies in replication and eventual consistency issues.

Failover

For an HA database system like DS, automatic failover is critical. In Kubernetes, especially in a multi-node or multi-region setup, configuring automatic failover adds complexity.

Data recovery

When a database node fails, it’s critical to recover the lost data while the service continues without interruption. This can be challenging in Kubernetes, which is designed for ephemeral containers.

Scaling and resource allocation

Horizontal scaling

While Kubernetes excels at scaling stateless applications, scaling a stateful set horizontally is much more complex. Sharding data, managing replication, and ensuring consistent data across multiple pods adds operational complexity.

Vertical scaling limitations

DS requires consistent CPU, memory, and I/O resources. Scaling vertically by increasing resources for a single pod is more challenging in Kubernetes than in traditional server environments with dedicated systems allocated for intensive workloads.

When scaling vertically, you can reach limits for nodes or need to adjust settings for all DS pods to avoid resource imbalances.

Dynamic resource allocation

Kubernetes is optimized to assign resources to pods dynamically. As a database, DS has strict requirements for memory, CPU, and disk I/O.

In a shared Kubernetes cluster, you must overcome the challenges of resource constraints and noisy neighbor issues to ensure consistent DS performance.

Administrative tasks

Complex backups

Performing consistent backups in a Kubernetes environment can be challenging as it involves multiple pods and volumes. The backup procedures must capture the database state, accounting for any differences in data stored across different pods or persistent volumes. This requires careful orchestration when some DS pods are configured differently from others.

Disaster recovery

In Kubernetes, node failures or cluster outages are expected. Recovering DS data when such events happen while ensuring data integrity is more challenging than simply restarting a stateless service. Ensuring quick recovery times and data integrity in multi-node or multi-region setups can be complex.

You must make sure DS recovers the correct data. When you restore data only on some replicas, the data must be more recent than the replication purge delay.

Resources

DS commands like backendstat, export-ldif, import-ldif, rebuild-index, and verify-index require additional resources when running on the pod. Size pods with this in mind to prevent Kubernetes from terminating the pod due to insufficient resources when performing administrative tasks.

In addition, make sure a pod is only marked operational for the deployment after the appropriate ramp-up time. Make sure the pod stays online during any ramp-down time required for administrative tasks.

Observability and health monitoring

Log files

Collect the logs for all pods in a central location.

Performance monitoring

Automate performance monitoring to react before imminent failure and for capacity planning, not just for dynamic scaling.

Operational excellence

Kubernetes is versatile and dynamic. Running a database like DS demands a high level of operational excellence. Key operations like rescheduling, scaling, backups, failover, and recovery are particularly challenging in Kubernetes unless all your team members have a solid grasp of the concepts and the requisite expertise.

Pod restarts and rescheduling

Kubernetes restarts and reschedules pods at any time, which can be disruptive for a stateful database like DS. Unlike stateless services, DS must maintain data integrity and consistency during these operations. Ensuring smooth restarts without data loss or corruption adds operational overhead.

Database upgrades

Rolling updates and upgrades are standard for stateless applications in Kubernetes. To upgrade DS with schema changes and index rebuilds is more complex. You must plan carefully to ensure data remains consistent during each upgrade.

If your team has the required skills and experience, use ForgeOps as a guide. ForgeOps demonstrates deploying the Ping Identity Platform, including DS, on Kubernetes.

Third-party software

Ping Identity provides support for using the following third-party software when logging Common Audit events:

Software Version

Java Message Service (JMS)

2.0 API

MySQL JDBC Driver Connector/J

8 (at least 8.0.19)

Splunk

8.0 (at least 8.0.2)

Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd.

Ping Identity recommends you consider these alternatives. These tools have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the Ping Identity Platform systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a Ping Identity Platform service goes offline, or delivery issues occur.

These tools can work with Common Audit logging:

  • Configure the server to log messages to standard output, and route from there.

  • Configure the server to log to files, and use log collection and routing for the log files.

Ping Identity provides support for using the following third-party software when monitoring Ping Identity servers:

Software Version

Grafana

5 (at least 5.0.2)

Graphite

1

Prometheus

2.0

What’s new

DS 7.4.0

If you use data encryption with default settings, avoid deploying DS 7.4.0. Use DS 7.4.1 or later instead, as these releases include a fix for OPENDJ-10211.

If you deployed DS 7.4.0 with data encryption (confidentiality) using default settings, do not use the upgrade command to upgrade in-place.

Instead, refer to Upgrade from DS 7.4.0.

DS 7.3.0

If you deployed DS 7.3.0 with static groups, important upgrade actions may be required.

Contact support for details.

DS 7.5.1

DS 7.5.1 is the latest release targeted for DS 7.5 deployments and can be downloaded from the download page.

The release can be deployed as an initial deployment or updated from an existing DS 7.5.x or earlier deployment.

HDAP

  • HDAP is no longer a Technology Preview.

    Customers can now use HDAP in production deployments. The interface stability for HDAP is Evolving.

Operating systems

  • This release adds support for Windows Server 2022.

Tools

  • The dsrepl status command now shows hostname information when used with the --showReplicas or --showChangelogs option.

DS 7.5.0

Disaster recovery

  • DS servers now support safer disaster recovery procedures you can apply one server at a time.

    The procedures hinge on the new dsrepl disaster-recovery command. The new subcommand replaces the previous subcommands, which have been removed. For details, refer to the disaster recovery documentation.

HDAP

  • HDAP now supports HTTP Bearer authorization with an access token.

    This is especially useful when performing multiple operations as a user with a strong password storage scheme. The computational cost to validate the password is high, but you only pay the cost once. The cost to validate a JWT token is low for each subsequent operation. For details, refer to Bearer auth and to the code samples in the HDAP documentation.

Indexing

  • DS servers no longer require rebuilding indexes for attributes that have never been used before.

  • DS servers are now more efficient in using equality indexes as a replacement for presence indexes when processing intersection search filters.

  • DS servers can now fall back to VLV indexes for some true and equality searches with appropriate sort keys.

    For details, refer to Index use by matching rule.

Access logs

  • DS servers now log search index diagnostics for unindexed searches.

    When the response > additionalItems > unindexed field of an access log message is true, review the response > additionalItems > debugSearchIndex object to diagnose why the search was not indexed.

  • Log messages now list LDAP control aliases instead of OIDs in the response details.

Monitoring

  • DS monitoring metrics now include specific metrics for persistent search etimes:

    • The LDAP attribute on an LDAP connection handler monitoring entry is ds-mon-requests-psearch.

    • The Prometheus metric is ds_connection_handlers_ldap_requests_count{ldap_handler,type="psearch"}.

  • DS Prometheus monitoring output now complies better with third-party applications. It follows the Prometheus text format.

    To continue using the previous format for now, set legacy-format:true in the Prometheus endpoint configuration. This setting is deprecated and likely to be removed in a future release.

Resource limits

  • DS resource limits now depend on the proxy authorization identity rather than the bind DN.

Searches

  • DS now explicitly restricts persistent searches to a single backend.

Java

  • DS now supports Java 17 and 21.

    With Java 21 you can try experimental virtual thread support, a DS Technology Preview (not for production use).

    When trying this experimental feature, run DS with a Project Loom early-access build of Java. At the time of this writing, the early-access builds are based on JDK 23. The early-access builds include fixes preventing thread starvation and deadlocks in DS under extreme write loads.

    DS uses virtual threads for core processing, not for network I/O, replication, or other features. The use of virtual threads is expected to expand to other features in future releases. For details, refer to Java settings.

Operating systems

  • This release adds support for Amazon Linux 2023.

Tools

  • The new dsrepl decode-csn command helps debug replication issues. It displays the components of one or more valid CSNs to show when they were generated and which server generated them.

  • The supportextract command now includes the system hostname in the name of the archive file.

  • The upgrade command now stops the upgrade process if the previous version is DS 7.4.0 and the server uses data encryption (confidentiality) with the default AES/GCM cipher.

    For instructions, refer to Upgrade from DS 7.4.0.

DS 7.4

DS 7.4.3

DS 7.4.3 is the latest release targeted for DS 7.4 deployments and can be downloaded from the ForgeRock Backstage website.

The release can be deployed as an initial deployment or updated from an existing DS 7.4.x or earlier deployment.

DS 7.4.2

DS 7.4.2 is a maintenance release with the following improvements.

Disaster recovery

  • DS servers now support safer disaster recovery procedures you can apply one server at a time.

    The procedures hinge on the new dsrepl disaster-recovery command. For details, refer to the disaster recovery documentation.

Operating systems

  • This release adds support for Amazon Linux 2023.

Resource limits

  • DS resource limits now depend on the proxy authorization identity rather than the bind DN.

DS 7.4.1

DS 7.4.1 is a maintenance release with the following improvements.

Security

  • The DS Crypto Manager configuration now has an advanced property, key-wrapping-mode, to set the key wrapping mode for protecting symmetric keys.

    When using a FIPS-compliant security provider that doesn’t allow direct encryption, change the Crypto Manager configuration to set key-wrapping-mode: WRAP.

Tools

  • The supportextract command now includes the system hostname in the name of the archive file.

DS 7.4.0

HDAP

This release introduces the HTTP Directory Access Protocol (HDAP) API for HTTP access to LDAP data.

Interface stability: Technology Preview

HDAP enables web-based HTTP applications and services to interact with LDAP directories. It uses HTTP as the transport protocol and JSON as the data format, making directory data easy to access and use in web applications. With HDAP, web-based systems and LDAP directories communicate and integrate simply and easily.

HDAP exposes the full hierarchical object-oriented data model of DS with the following benefits:

  • Supports all features of the LDAP protocol and many extensions

  • Simplifies configuration; no complex data mappings

  • Manages LDAP schema as data

  • Lets applications validate resources using their JSON schema

  • Opens access to advanced administrative features such as collective attributes, password policy sub-entries, and access controls

  • Lets applications perform subtree searches and rename resources

For details, read Use HDAP.

Access logs

  • DS log messages now include elapsedQueueingTime, the time the request waited in the queue, and elapsedProcessingTime, the time actively processing the request. For details, refer to About logs.

    Use the following new access log filtering criteria for logs targeting outliers:

    • response-etime-queueing-greater-than

    • response-etime-queueing-less-than

    • response-etime-processing-greater-than

    • response-etime-processing-less-than

  • DS log messages with additionalItems fields now set their additional items to true instead of null.

    For example, the message for an unindexed search now includes "additionalItems":{"unindexed":true}.

  • DS can now record the attributes targeted by modification requests.

    For details, refer to Log modifications.

  • DS now logs security information about TLS handshake operations, including the negotiated protocol version and cipher, and the resulting security strength factor (SSF).

    A new tls setting for access log filtering criteria lets you filter on TLS handshakes.

    For details, refer to About logs.

  • DS access logs messages now include the user-friendly name and criticality for LDAP controls. For request controls, the messages also include the values.

    For details, refer to About logs.

Debug and error logs

  • Configuring debug-level logging is simpler with predefined logging categories.

    For details, refer to Debug-level logging.

Monitoring

  • DS monitoring metrics now include information to help troubleshoot changelog purging:

    • The LDAP attributes under cn=monitor are:
      ds-mon-changelog-file-count
      ds-mon-purge-waiting-for-change-number-indexing

    • The Prometheus metrics are:
      ds_replication_changelog_purge_waiting_for_change_number_indexing
      ds_replication_changelog_replica_dbs_changelog_file_count

Password policy

  • DS attribute value password validators with ds-pwp-attribute-value-check-substrings:true or check-substrings:true now check whether the password contains portions of attribute values and whether the attribute values contain portions of the password.

Collective attributes

  • DS servers now let you rename collective attributes.

    For details, refer to Rename an attribute.

Schema

  • New DS servers now check certificate lists, certificate pairs, and postal address syntax attributes for validity. The change affects attributes such as certificateRevocationList, crossCertificatePair, and postalAddress.

    The change doesn’t apply to DS servers you upgrade in place.

Replication

  • DS servers now log a warning message such as the following when replication status is Bad data and the problem seems to be the fractional replication configuration:

    Replication server RS([.var]##<server-id>##) ignoring update [.var]##<csn>## for domain "[.var]##<domain>##"
from directory server DS([.var]##<server-id>##) at [.var]##<server-address>## because the peer DS
reported to be in BAD_DATA status. The generation ID matches, (DS is [.var]##<generation-id>##,
RS is [.var]##<generation-id>##), there may be a problem with fractional replication configuration.
Check the DS error logs for more details
Performance

  • DS servers now more efficiently process OR filters composed of equality filters using the same attribute types.

    An example LDAP search filter of this type is (|(uid=uid1)(uid=uid2)…​(uid=uidN)), where N can be large.

Security
Native packages
Tools

  • The dsconfig command online help and Configuration reference now label deprecated and legacy configuration objects and properties.

  • Many commands with the --usePkcs11KeyStore option now also support the following options:

    • --providerArg to specify the provider configuration.

    • --providerClass or --providerName to specify the implementation.

  • All backendstat list-* subcommands now display indexes ordered by name.

DS 7.3

DS 7.3.5

DS 7.3.5 is the latest release targeted for DS 7.3 deployments and can be downloaded from the download page.

The release can be deployed as an initial deployment or updated from an existing DS 7.3.x or earlier deployment.

Disaster recovery

  • DS servers now support safer disaster recovery procedures you can apply one server at a time.

    The procedures hinge on the new dsrepl disaster-recovery command. For details, refer to the disaster recovery documentation.

Operating systems

  • This release adds support for Amazon Linux 2023.

Resource limits

  • DS resource limits now depend on the proxy authorization identity rather than the bind DN.

DS 7.3.4

Security

  • The DS Crypto Manager configuration now has an advanced property, key-wrapping-mode, to set the key wrapping mode for protecting symmetric keys.

    When using a FIPS-compliant security provider that doesn’t allow direct encryption, change the Crypto Manager configuration to set key-wrapping-mode: WRAP.

Tools

  • The supportextract command now includes the system hostname in the name of the archive file.

DS 7.3.3

DS 7.3.3 is a maintenance release that does not include new features.

DS 7.3.2

DS 7.3.2 is a maintenance release that does not include new features.

DS 7.3.1

DS 7.3.1 is a maintenance release that does not include new features.

DS 7.3.0

Replication

  • DS servers now send data more efficiently when initializing a replica online, improving the speed of online initialization. This improvement requires that both servers run DS 7.3 or later.

  • DS replication now distinguishes when a replica requires reinitialization because it has fallen further behind the replication server than allowed by the replication-purge-delay. DS sets the ds-mon-status attribute for LDAP or ds_replication_replica_status{status} for Prometheus to Too late. Earlier versions of DS assigned Bad generation id status to such replicas.

    The dsrepl status output changed to take advantage of the new status. It now distinguishes the following states for a replicated data set:

    BAD - DATA MISMATCH

    Requires reinitialization; verify the replication configuration

    BAD - TOO LATE

    Requires reinitialization

    GOOD

    Normal operation; nothing to do

    SLOW

    Replication delay greater than five seconds

Groups

  • DS now uses significantly less memory for the group cache and for entry caches.

    Revisit Java heap size and database cache settings after upgrading. For details on setting heap and cache sizes, refer to Performance tuning.

  • DS now more effectively reads and updates entries with attributes having many values, such as LDAP and POSIX group entries.

    DS entry caches are no longer necessarily required for these entries. If you have enabled entry caches for large groups, consider removing them after upgrade.

  • DS monitoring metrics now include counts of static, dynamic, and virtual static groups, and statistics on the distribution of group sizes.

    For details, refer to Groups (Prometheus) and Groups (LDAP).

Indexing

When you upgrade DS directory servers in place, you must rebuild all indexes. The rebuilt indexes reflect required string normalization fixes.

If possible, trigger this rebuild during in place upgrade. Normal operations can result in degraded index errors until you rebuild the indexes.

  • DS servers now let you monitor index cost, which enables you to determine which indexes are causing write contention.

    For details, refer to Index cost.

  • DS servers now support a new matching rule, making it easier to monitor progress when migrating passwords to a new storage scheme.

    For an example, refer to Eliminate reversible password storage.

  • DS servers now display a message when you configure an unnecessary presence index for an attribute that already has an equality index DS can use for presence searches.

    DS servers also display the message at startup.

Monitoring

  • DS monitoring for Prometheus now includes a metric for replica status.

    For details, refer to Replication status (Prometheus).

  • DS monitoring metrics now include counts global and entry ACIs, and of the number of entries with ACIs.

    For details, refer to ACIs (Prometheus) and ACIs (LDAP).

  • DS monitoring metrics now include counts of the memory allocated to entry caches.

    For details, refer to Entry cache size (Prometheus) and Entry cache size (LDAP).

  • DS monitoring metrics now include a count of LDAP subentries.

    For details, refer to Subentries (Prometheus) and Subentries (LDAP).

  • DS monitoring metrics now include information to help troubleshoot change number indexing:

    • The Prometheus metrics are:
      ds_change_number_indexing_state
      ds_change_number_time_since_last_indexing_seconds

    • The LDAP attributes under cn=monitor are:
      ds-mon-indexing-state
      ds-mon-replicas-preventing-indexing
      ds-mon-time-since-last-indexing

    When the indexing state is not INDEXING, also read the replication logs for warning messages with additional details.

  • The metrics counting the number of indexed and unindexed searches have been renamed ds-mon-backend-filter-indexed and ds-mon-backend-filter-unindexed, and are now always maintained, even when index filter analysis is disabled.

Logging
LDAP

  • DS servers now compare userCertificate attribute values more efficiently.

Schema

  • DS servers now allow mail addresses to include UTF-8 characters, not just ASCII.

    The change does not affect directory data but does affect mail indexes which may become degraded. When upgrading, you may need to rebuild degraded indexes. For details, refer to When adding new servers and Update LDAP schema.

Tools

  • The modrate command now includes new options for adding and replacing values of multivalued attributes. This lets you use the command to simulate more realistic workloads. Previously, modrate only supported single-valued replace updates.

    The new options are:

    --strategy (modify|read_modify)

    Set this option to --strategy read_modify to use the new feature, reading an entry, then modifying it by deleting and adding attribute values.

    The default, --strategy modify, uses single-valued replace updates as before.

    --valueCount number

    Set this option to specify how many attribute values the multivalued attribute should contain following the modify operation. The number default is 1.

    --mvcc attribute

    Optionally set this option to specify the attribute to use for MVCC. Default: --mvcc eTag.

    For details, refer to the modrate reference page.

DS 7.2

DS 7.2.5

DS 7.2.5 is the latest release targeted for DS 7.2 deployments and can be downloaded from the download page.

You can deploy this release as an initial deployment or use it to update an existing DS 7.2.x deployment.

Disaster recovery

  • DS servers now support safer disaster recovery procedures you can apply one server at a time.

    The procedures hinge on the new dsrepl disaster-recovery command. For details, refer to the disaster recovery documentation.

Resource limits

  • DS resource limits now depend on the proxy authorization identity rather than the bind DN.

DS 7.2.4

Security

  • The DS Crypto Manager configuration now has an advanced property, key-wrapping-mode, to set the key wrapping mode for protecting symmetric keys.

    When using a FIPS-compliant security provider that doesn’t allow direct encryption, change the Crypto Manager configuration to set key-wrapping-mode: WRAP.

DS 7.2.3

DS 7.2.3 is a maintenance release that doesn’t include new features.

DS 7.2.2

DS 7.2.2 is a maintenance release that doesn’t include new features.

DS 7.2.1

DS 7.2.1 is a maintenance release that does not include new features.

DS 7.2.0

Backup

  • DS servers now support Amazon AWS temporary credentials when backing up and restoring data using S3.

    You set the AWS session token using the s3.sessionToken.env.var storage property. For example, first set the session token as the value of the AWS_SESSION_TOKEN environment variable, then use --storageProperty s3.sessionToken.env.var:AWS_SESSION_TOKEN in the dsbackup commands.

    For additional examples, refer to Cloud storage.

  • DS servers now send an alert notification when backup task completes.

    The new alert types are org.opends.server.BackupSuccess and org.opends.server.BackupFailure, and are documented in Alert types.

Indexing

  • DS servers now support big indexes. A big index is a new kind of index optimized for attributes with few unique values. Big indexes let users more easily page through all the users in a US state, for example.

    For details, refer to Big index and Indexes for attributes with few unique values.

  • DS servers now let you monitor index use, so you can determine which indexes are unused.

    For details, refer to Unused indexes.

  • DS servers now support a DN pattern matching rule that lets you index an attribute with DN values, and search with wildcard characters, so you can find matches for specific RDNs in the DN, for example.

    For details, refer to DN patterns.

  • DS servers have improved output for debugging search indexes.

    For examples, refer to Debug search indexes. (As explained there, the format of debugsearchindex values is not a stable public interface, because it is intended for human beings, not scripts.)

  • The output for the backendstat list-indexes and backendstat show-index-status commands is easier to read and to understand.

  • DS servers now optimize searches for unresolved conflicts.

  • DS servers now more efficiently optimize searches for initial substrings.

Logging

  • DS servers now include entrySize in access log messages. You can filter access logs based on minimum entry size with the log filtering criteria setting, response-entry-size-greater-than.

    For details, refer to About logs.

  • By default, DS servers are configured to manage log file retention and rotation. For details on configuring this, refer to Rotate and retain logs.

    When an external program is also configured to manage DS log files, and moves or deletes log files in a way that a DS server does not expect, the DS now detects the change and logs an error message.

    Either let the DS server manage its log files, or configure an external program to do so, not both.

Monitoring

  • DS monitoring now takes replication listener threads into account when calculating whether a server is healthy. Monitoring shows a server to be in a healthy state if the server is alive, the replication server is accepting connections on the configured port, and any replication delays are below the configured threshold.

  • DS servers now support histogram metrics, as described in Metric types reference.

    As indicated in LDAP metrics reference and Prometheus metrics reference, DS servers expose the following histogram monitoring metrics:

    LDAP

    ds-mon-backend-entry-size-read
    ds-mon-backend-entry-size-written

    Prometheus

    ds_backend_entry_size_read_bucket{backend,type,le}
    ds_backend_entry_size_written_bucket{backend,type,le}

  • DS servers now let the monitor user read monitoring information over HTTP when some backends are offline, as long as backend with the monitor user entry remains online.

Password storage

  • DS servers now support hashing passwords with Argon2 for password storage.

    For details, refer to Password Storage.

Performance

  • DS servers now generate ETag attribute values more efficiently.

    This improves the performance of REST to LDAP applications that use ETags for MVCC. The plugin generates real ETag attributes for adds and updates. The server relies on the existing virtual attribute implementation only when a real ETag is not available.

    The implementation depends on a server plugin that is only configured for new servers. After upgrading all servers, configure the plugin on each server to use the new feature. For details, refer to Use the entity tag plugin for ETags.

  • DS servers now more efficiently verify passwords stored with PKCS5S2.

  • DS servers now run the rebuild-index command more efficiently when you identify specific indexes to rebuild.

    They also now run the rebuild-index --rebuildDegraded command more efficiently when there are no indexes to rebuild.

  • DS servers now start up more quickly when there are large numbers of groups.

    When the server starts, it runs an internal search to find all groups. DS servers now maintain a big index for objectClass that is specific to groups.

    In previous versions, the search for groups at startup could be unindexed. The workaround was to raise the index entry limit for the objectClass index, with the tradeoff of maintaining indexes for more object classes, and impacting write performance. The workaround is no longer necessary for new servers.

    Upgrading does not change the server configuration, however, so the index is not present after you upgrade. If you have applied the workaround of raising index-entry-limit for objectClass, and have upgraded your servers:

    1. Install a new, throwaway server with the evaluation profile, as described in Install DS for evaluation.

    2. Review the configuration for the big-equality index for objectClass.

      For example:

      dsconfig get-backend-index-prop --backend-name dsEvaluation --index-name objectClass --offline

    3. For your upgraded servers, consider adding a big-equality index for the groups, lowering index-entry-limit for objectClass, and rebuilding the objectClass indexes.

      Server startup time should be just as good, and write performance might improve.

Proxy

  • DS servers now support the Proxy Protocol from HAProxy.

    For details, refer to Proxy protocol.

  • The proxy backend settings to regularly contact remote LDAP servers now offer additional configuration for more fine-grained control when keeping connections alive and checking remote server availability.

    For details, refer to Proxy backend.

Replication

  • DS replication servers now check that the port is available when you change the configuration.

REST to LDAP

  • When you perform a paged results query whose corresponding LDAP search is indexed, the response now contains an estimated number of "totalPagedResults", and "totalPagedResultsPolicy" : "ESTIMATE".

    For an example, refer to Paged results.

  • When you perform a query, you can now request the resource count only, using the new _countOnly query string parameter. REST to LDAP returns the count, and not the resources.

    This parameter requires protocol version 2.2 or later. Use a header like Accept-API-Version: protocol=2.2,resource=1.0, for example.

    For details, refer to Query.

  • When converting JSON values, REST to LDAP now coerces:

    • Strings to booleans, integers, or JSON where possible.

    • Whole floating point numbers to integers.

    REST to LDAP also returns helpful errors when coercion fails. This improves interoperability with client applications that do not or cannot perform the conversions before adding or updating resources.

  • The REST to LDAP gateway settings now let you configure:

    • Availability checks for load balancing.

      The default heartbeat check settings have also been changed to check that pooled connections are alive every five minutes with a three-second keep-alive heartbeat timeout.

    • As many pools of failover servers as needed.

      You specify the pools using the "failoverLdapServers" field. The gateway still accepts "primaryLdapServers" and "secondaryLdapServers" settings for compatibility.

    • A connection timeout.

    For details regarding these new settings, refer to LDAP connection factories.

  • Internally, REST to LDAP now simplifies search filters when possible. This can improve search performance in some cases.

    REST to LDAP removes redundant objectClass assertions from search filters, retaining specific classes, but removing the superclasses they inherit from. For example:

    (&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)

    Becomes:

    (objectClass=organizationalPerson)

  • REST to LDAP now updates single-valued LDAP attributes by replacing the value, which reduces the network bandwidth and historical change data needed to replicate the update.

Schema

  • The schema definitions in the db/schema/04-rfc2307bis.ldif file now align with those of the latest RFC 2703bis Internet-Draft, An Approach for Using LDAP as a Network Information Service.

    The change does not affect directory data, but when upgrading you may need to rebuild degraded indexes. For details, refer to When adding new servers and Update LDAP schema.

Security

  • PKCS#11 hardware security module now explains how to use an HSM for all asymmetric keys, including the shared master key, for data that is not (yet) encrypted.

    If you plan to use an HSM for the shared master key, read the documentation carefully before you install DS. When you set up the server, you must avoid accidentally encrypting data while using the wrong shared master key.

    For details, refer to Store the shared master key.

Tools

  • A new DS bash-completion command generates a completion script for the Bash shell that makes it easier to write other DS commands.

    The completion script depends on support for bash-completion, which is not included by default on macOS.

    To set up Bash completion for DS commands, source the output of the script:

    • Bash 4

    • Bash 3.2 macOS

    source <(/path/to/opendj/bin/bash-completion)
    # First, install bash-completion support.
# Next:
eval "$( /path/to/opendj/bin/bash-completion )"

    You can make completion available in any new interactive shell by adding it to your ~/.bash_profile file, or ~/.bashrc file if it is loaded by the new shell.

  • The new dskeymgr show-deployment-id command displays key information about a given deployment ID—​formerly known as a deployment key—​such as the expiration date for the derived CA certificate.

    For details, refer to Show deployment ID information.

  • The dsrepl status --showReplicas command now displays an Entry count column.

    The entry counts in each row reflect the number of entries in the specified replica under the specified base DN.

  • The supportextract command now collects additional system information, including data to indicate whether the system is running in a virtual machine.

  • When collecting environment variable values, the supportextract command now excludes environment variables whose names contain PASS, PWD, and _PW.

Virtual attributes

DS 7.1

DS 7.1.8

DS 7.1.8 is the latest release targeted for DS 7.1 deployments and can be downloaded from the download page.

The release can be deployed as an initial deployment or updated from an existing DS 7.1.x or earlier deployment.

Disaster recovery

  • DS servers now support safer disaster recovery procedures you can apply one server at a time.

    The procedures hinge on the new dsrepl disaster-recovery command. For details, refer to the disaster recovery documentation.

DS 7.1.7

DS 7.1.7 is a maintenance release and does not include new features.

DS 7.1.6

DS 7.1.6 is a maintenance release and does not include new features.

DS 7.1.5

DS 7.1.5 is a maintenance release and does not include new features.

DS 7.1.4

DS 7.1.4 is a maintenance release and does not include new features.

DS 7.1.3

REST to LDAP

  • REST to LDAP now updates single-valued LDAP attributes by replacing the value, which reduces the network bandwidth and historical change data needed to replicate the update.

DS 7.1.2

Performance

  • DS servers now run the rebuild-index --rebuildDegraded command more efficiently when there are no indexes to rebuild.

Tools

  • The supportextract command now collects additional system information, including data to indicate whether the system is running in a virtual machine.

  • When collecting environment variable values, the supportextract command now excludes environment variables whose names contain PASS, PWD, and _PW.

DS 7.1.1

DS 7.1.1 is a maintenance release that does not include new features.

Java

DS 7.1.1 introduces support for Java 17 (17.0.3 or later) in addition to Java 11:

  • In Java 17, the PCKS#12 keystore encryption/Mac algorithm has been upgraded to HmacPBESHA256. Update to at least Java 11.0.12 if you have an application that runs Java 11 and must read the keystore.

  • Use G1 GC (the default) instead of parallel GC. The setting is shown in Java Settings. Use of ZGC or Shenandoah is not recommended for production deployments at this stage.

For details, refer to Java.

If you are upgrading, refer to Supported Java.

DS 7.1.0

Backup

  • The dsbackup command now lets you set a non-default storage provider endpoint.

    For details, refer to Cloud Storage.

Indexing

  • The online rebuild index process is now less intrusive, more effective, and more robust. When you run a rebuild-index command while the server is online, the backend database remains available for directory operations during the rebuild.

    Individual indexes do appear as degraded and unavailable while the server rebuilds them. A search request that relies on an index in this state may temporarily fail as an unindexed search.

Logging

  • DS log messages now include the authorization ID for every request.

  • DS servers now support logging the internal delete operations triggered by entry expiration.

    If you have set the ttl-age and ttl-enabled properties for a backend, use this feature by configuring an access log publisher to record messages about internal operations. When the server deletes an expired entry, it logs a message with "additionalItems":{"ttl": null} in the response.

    For background, refer to Entry Expiration.

Passwords

  • Password quality checks using the password quality advice control now ensure that proposed passwords are not in the password history.

    If the server finds the proposed password in the password history, this appears in the failing criteria returned with the advice response control.

    In addition, the REST to LDAP response over HTTP now includes the password attribute type.

Replication

  • DS servers now let you restrict which replicas you trust to send updates.

    By default, all directory servers in a replication topology trust all replicas. If a replica allows an update, then other servers relay and replay the update without further verification. This simplifies deployments where you control all the replicas.

    In deployments where you do not control all the replicas, you can configure replication servers to accept updates only from trusted replicas. The trust depends on the certificate that a replica presents to the replication server when connecting.

    For details, refer to Trusted Replicas.

  • DS servers now let you define replication group failover. This determines how a directory server selects the next group with replication servers to connect to when no replication server is available in the directory server’s own group.

    To activate replication group failover, set the global configuration property, group-id-failover-order.

    For details on how a directory server chooses a replication server, refer to Replication Connection Selection.

  • When a replica’s last change is older than the oldest change recorded in the replication server’s changelog, the replication server now records the problem in its log, and sends a message to the replica. When it receives the message, a 7.1 replica remains connected to the replication server, but refuses update operations, effectively becoming read-only. A pre-7.1 replica closes the connection.

    In any case, the replica no longer applies replication updates. Its data diverges more and more from other replicas' data.

    Should this happen in your deployment, reinitialize the replica. For details, refer to Manual Initialization.

  • DS servers now log more explicit messages when they discover duplicate server IDs.

REST to LDAP

  • This release introduces support for querying fields of reference or reverseReference resources that are subtypes of the resources you are searching.

    As an example, suppose that devices and users are both subtypes of a "managed object" type. Also, suppose that devices have a deviceType field, that users have a surname field, and that a basic managed object has neither of these fields. Now, your queries on a collection of managed objects can match properties of the referenced subtypes, such as /managedObjects?_queryFilter=deviceType+eq+phone, or /managedObjects?_queryFilter=surname+eq+Jensen.

Samples

  • The sample for building custom DS Docker images now has a USE_DEMO_KEYSTORE_AND_PASSWORDS setting that simplifies getting started with a basic Docker image on your computer.

    For details, refer to opendj/samples/docker/README.md.

Security

  • DS directory and proxy servers now allow access to the root DSE operational attribute subSchemaSubEntry. This attribute indicates the entry holding the LDAP schema definitions.

    Many applications retrieve this attribute, and the associated schema, to properly display or validate attribute values. If you cannot upgrade yet, update the configuration of your DS server to grant all users read access to subSchemaSubEntry at least on the root DSE:

    • For DS 7 directory servers, add subSchemaSubEntry to the attribute list in the "User-Visible Root DSE Operational Attributes" global ACI.

    • For DS 7 directory proxy servers, add allowed-attribute:subSchemaSubEntry on the Root DSE access configuration object.

    For details on granting access to subSchemaSubEntry on entries in directory data, refer to ACI: Access SubSchemaSubEntry Attribute.

  • DS servers now support text-based Privacy-Enhanced Mail (PEM) keys and certificates for server key pairs, master keys, and trusted certificates.

    For details, refer to Use PEM-Format Keys.

  • The DS fingerprint-certificate-mapper now also supports fingerprints without colons.

    For example, the following SHA-256 fingerprints are equivalent:

    • 0555BDA5E14C35A6A54E78DD3EFDEA5A665DE0DC9CC5187EE9CAA91ECD874B78

    • 05:55:BD:A5:E1:4C:35:A6:A5:4E:78:DD:3E:FD:EA:5A:66:5D:E0:DC:9C:C5:18:7E:E9:CA:A9:1E:CD:87:4B:78

Tools

  • DS command options that have secrets as arguments now support :env and :file modifier suffixes.

    For example, if the bind password is stored in a ~/.pass file, use --bindPassword:file ~/.pass. If the password is stored in the environment variable PASS, use --bindPassword:env PASS.

    Use the modifiers with the following options to provide the secret in an environment variable (:env), or in a file (:file):

    • --bindPassword[:env|:file]

    • --deploymentKeyPassword[:env|:file]

    • --keyStorePassword[:env|:file]

    • --monitorUserPassword[:env|:file]

    • --rootUserPassword[:env|:file]

    • --set[:env|:file] (for setup profile parameters)

    • --trustStorePassword[:env|:file]

  • The supportextract command now uses the jcmd command, if available, for heap dumps. Otherwise, it uses the jmap command.

  • The addrate, authrate, modrate, and searchrate commands now include connection time as part of the response time for a request.

DS 7.0

DS 7.0.2

There are no new features in DS 7.0.2, only bug fixes.

DS 7.0.2 is the latest release targeted for DS 7.0.x deployments and can be downloaded from the download page.

The release can be deployed as an initial deployment or updated from an existing DS 7.0.x deployment.

DS 7.0.1

  • The DS password synchronization plugin for IDM now supports OAuth 2.0 access token bearer authentication.

    For details, refer to Synchronize Passwords With ForgeRock Directory Services (DS) in the IDM documentation.

  • DS command options that have secrets as arguments now support :env and :file modifier suffixes. Use these with the following options to provide the secret in an environment variable (:env), or in a file (:file):

    --bindPassword[:env|:file]
    --deploymentKeyPassword[:env|:file]
    --keyStorePassword[:env|:file]
    --monitorUserPassword[:env|:file]
    --rootUserPassword[:env|:file]
    --set[:env|:file] (for setup profile parameters)
    --trustStorePassword[:env|:file]

    For example, if the bind password is stored in a ~/.pass file, use --bindPassword:file ~/.pass. If the password is stored in the environment variable PASS, use --bindPassword:env PASS.

  • The supportextract command now uses the jcmd command, if available, for heap dumps. Otherwise, it uses the jmap command. (Issue: OPENDJ-7662)

DS 7.0.0

Access control
Aliases for controls and extended operations

DS 7.0.0 supports use of aliases in addition to OIDs for LDAP controls and extended operations in ACIs, making those ACIs significantly more human-readable. For details, refer to Directory server ACIs.

Since previous releases support only OIDs, only use aliases in ACIs after upgrading all directory servers. Otherwise, older servers will log warning messages for the unrecognized aliases, such as the following:

Access Control Instruction (ACI) targetcontrol expression value "value" is invalid.
 A valid targetcontrol keyword expression value requires one or more valid control OID strings in the following format:
 oid [|| oid1] ... [|| oidN]
Authentication
Multiple identity mappers

The following configuration objects can now reference multiple identity mappers:

  • CRAM-MD5 SASL mechanism handler

  • DIGEST-MD5 SASL mechanism handler

  • GSSAPI SASL mechanism handler

  • HTTP Basic authorization mechanism

  • HTTP OAuth2 authorization mechanism

  • Password modify extended operation handlers

  • PLAIN SASL mechanism handler

  • Global configuration, proxied-authorization-identity-mapper

When resolving the identity, the server uses the first identity mapper that finds a match. If multiple identity mappers match different entries, however, then the server returns LDAP error code 19, Constraint Violation.

For background information, refer to Identity mappers.

Backup and restore
New, simplified implementation with cloud storage support

The release provides a new, simplified implementation for DS backup and restore operations:

  • The new implementation replaces backup archives with collections of backup files.

    The collection includes backend files and backup metadata. The files always follow the same layout, regardless of what you back up.

    You manage backup files by retaining an entire backup directory. You are no longer required to use a separate backup directory for each backend.

  • You can now stream backup files directly to cloud storage, and restore directly from cloud storage.

  • You no longer have to make a choice between full and incremental backup operations. Backup operations are incremental by design. When you reuse the same backup directory, the process only backs up new data.

  • The new implementation includes a purge subcommand for removing old backup files. You can purge old files either as an external command, or as a server task.

  • In the event of a disaster, you can restore from a backup directory stored off-site using only the deployment key and password, and a backup copy of the server configurations.

    The new implementation protects (encrypts) the backup encryption keys with the shared master key. It stores the encrypted encryption keys in the backup files.

    You no longer need to configure replication between new replicas and a server from the existing topology. Instead, you first set up replacement replicas with the deployment key and password, restoring the backed up server configurations to match those servers lost in the disaster. You then restore the data using the off-site backup directory.

  • The new implementation always signs and verifies the integrity of backups, and always encrypts backup files.

    The new implementation encrypts the keys used for signing and encryption with the shared master key. It stores the encrypted keys in the backup files.

    You can verify the integrity and ability to decrypt backups before restoring a backend.

  • The new implementation makes it possible to list and verify backups while the server is online.

  • The new implementation improves restore performance compared to restore of incremental backups in previous versions.

    The previous implementation restored files from the full backup archive, and then restored files from each incremental backup archive. Files could be restored and then removed, or restored multiple times.

    The new implementation only restores one version of each file in the backup directory.

  • A new command, dsbackup, replaces the backup and restore commands.

    The dsbackup command performs operations formerly performed using separate commands:

    • dsbackup create performs backup operations.

    • dsbackup list displays a summary of available backups, and lets you verify them.

    • dsbackup purge removes old backup files.

    • dsbackup restore performs restore operations.

  • The new dsbackup restore command has a --backendName option, which lets you restore only the specified backend.

For examples, refer to Backup and restore.

Cloud deployments
Ready for Docker and Kubernetes

DS 7.0.0 lifts restrictions on running DS servers in Docker and Kubernetes deployments. Many individual improvements make this possible, including the following:

  • Replication improvements let you scale the number of DS replicas in your stateful sets up and down.

  • The new dsrepl command runs well in Docker containers.

ForgeRock supports customers deploying DS in Docker containers and Kubernetes platforms.

To get started, try the following:

  • Use the forgeops repository and the unsupported, evaluation-only base images for the Ping Identity Platform. The images are available in ForgeRock’s public Docker registry.

  • Build your own sample DS Docker image.

    Unpack the .zip distribution, then refer to the opendj/samples/docker/README.md file for instructions.

Collective attributes
Relative parent support

DS servers now support specifying the relative parent in collective attribute subentries.

For details, refer to Inherit from a parent entry.

Data storage
Shared database cache by default

By default, DS servers now share cache memory among JE database backends. The server keeps JE database internal and leaf nodes in the database heap cache.

For existing servers, the upgrade command does not change the database cache behavior. Consider setting the global property je-backend-shared-cache-enabled:true, and the JE backends' properties db-cache-mode:cache-ln after upgrade.

For details, read about the following:

  • Database cache settings

  • Java settings

  • je-backend-shared-cache-enabled

  • db-cache-mode

Newer JE

DS 7.0.0 upgrades JE backend databases to Berkeley DB Java Edition 18.3.12.

Different DS server versions continue to replicate data during the upgrade process. However, the JE upgrade has the following implications for the portability of local DS data. Once you upgrade the data in a JE backend database:

  • You cannot downgrade a directory server without also restoring JE backend data from a pre-upgrade server.

  • You cannot restore backups of an upgraded JE backend on a pre-upgrade directory server.

In addition, several JE backend properties that affect cache sizing and database maintenance can now be changed at runtime without restarting the backend. For details, refer to JE backend.

Data encryption
Portable encrypted data

DS servers now store symmetric keys, encrypted with the shared master key, with the data they encrypt.

It is no longer necessary for disaster recovery to maintain a file system backup of a server from each replication topology in your deployment. It is now sufficient to keep the backup directory and a means to recover the shared master key. As long as a server has the same shared master key as the server that encrypted the data, it can recover symmetric keys needed to decrypt data.

Be aware that this feature is new, and not provided in previous versions of DS software. Replication is fully compatible with previous server versions, but backup files are not. For this feature to work, you must use a backup from an upgraded or new server.

GCM with AES

DS directory servers now support Galois/Counter Mode (GCM) with AES for encrypted data confidentiality. GCM is efficient and improves integrity protection for encrypted backend data.

Set the data encryption cipher transformation, as described in Data encryption. The default setting for the backend property cipher-transformation is now AES/GCM/NoPadding.

Email notifications
Secure, authenticated connections

Email notifications now support SMTP authentication and use of TLS.

For details, refer to Send account status mail and Mail server.

Interoperability
Microsoft AD range retrieval support

DS software now supports the * character in malformed attribute options for interoperability with the Microsoft Active Directory "range retrieval" mechanism.

Logging
Field whitelisting

ForgeRock Common Audit loggers now whitelist all fields that are safe to log by default. The whitelist is processed before the blacklist, so blacklist settings overwrite the whitelist defaults.

For details, refer to Allow log message fields.

Error messages to standard output

DS servers can now send error messages to standard output.

For details, refer to Log errors to standard output.

More information about operations in access logs

DS servers now record additional information about LDAP operations in access log messages:

  • For LDAP bind operations, the security strength factor (SSF) negotiated for secure client connections appears in the response field of the access log message:

    {..."request":{"protocol":"LDAPS","operation":"BIND"...}..."response":{..."additionalItems":"ssf=128"},...}

  • For persistent searches, the log messages include "additionalItems":"persistent".

Details when a connection handler fails to start

When a connection handler fails to start, DS servers now log an error message indicating the cause.

Monitoring
Monitor account replicated by default

DS servers now replicate the monitor user created at setup time (default DN: uid=monitor).

This lets commands like dsrepl status use the same account credentials to retrieve monitoring information from all servers. You can use the account in the same way for multi-server monitoring operations.

Networking
Advertised listen address

DS servers now have a new, required, global property, advertised-listen-address. This setting specifies the hostname or IP address that clients should use for connecting to the server. The advertised-listen-address can be multi-valued in systems with multiple network interfaces. DS servers also now have a global property, listen-address.

The listen-address property can be set to the wildcard IP address, 0.0.0.0, but the advertised-listen-address property cannot. By default, replication and connection handlers inherit their settings for listen addresses from these global properties.

This improvement lets DS servers make fewer DNS requests than before.

When setting up a new server, the setup command sets the advertised-listen-address property to the IP address or the FQDN provided as the --hostname argument.

During upgrade, the value for the advertised-listen-address property is assigned using the hostname derived from administrative data under cn=admin data. If any listen-address properties are set to the same value, then those settings are removed during upgrade, and the values are inherited instead.

Passwords
SCRAM SASL support

DS software now supports Salted Challenge Response Authentication Mechanism (SCRAM) SASL binds.

A SASL SCRAM mechanism provides a secure alternative to transmitting plaintext passwords during binds. It is an appropriate replacement for DIGEST-MD5 and CRAM-MD5.

With a SCRAM SASL bind, the client must demonstrate proof that it has the original plaintext password. During the SASL bind, the client must perform computationally intensive processing to prove that it has the plaintext password. This computation is like what the server performs for PBKDF2, but the password is not communicated during the bind.

Once the server has stored the password, the client pays the computational cost to perform the bind. The server only pays a high computational cost when the password is updated, for example, when an entry with a password is added or during a password modify operation. A SASL SCRAM mechanism therefore offers a way to offload the high computational cost of secure password storage to client applications during authentication.

Passwords storage using a SCRAM storage scheme is compatible with simple binds and SASL PLAIN binds. When a password is stored using a SCRAM storage scheme, the server pays the computational cost to perform the bind during a simple bind or SASL PLAIN bind.

The SCRAM password storage scheme must match the SASL SCRAM mechanism used for authentication. In other words, SASL SCRAM-SHA-256 requires a SCRAM-SHA-256 password storage scheme. SASL SCRAM-SHA-512 requires a SCRAM-SHA-512 password storage scheme.

DS software offers the following in the configuration for new servers:

Password Storage Scheme SASL Mechanism

SCRAM-SHA-256

SCRAM-SHA-256

SCRAM-SHA-512

SCRAM-SHA-512

For additional information, refer to Password storage for the server, and LDAP connection factories for the REST to LDAP gateway.

DS servers now support LDAP subentry password policies that match all features available in per-server password policies.

Servers store subentry policies in the directory data, and therefore replicate them. This improvement significantly simplifies password policy management across multiple replicas.

For details, refer to DS subentry password policies. Many samples in the documentation now demonstrate features of the improved subentry password policies.

Stronger password storage schemes

DS servers now support additional password storage schemes, PBKDF2-HMAC-SHA256 and PBKDF2-HMAC-SHA512.

The new password storage schemes use SHA-256 and SHA-512 hash-based message authentication code settings. The PBKDF2 password storage scheme uses SHA-1.

To migrate passwords to a new storage scheme, refer to Deprecate a password storage scheme.

128-bit salt

Salted hashed password storage schemes now use 128-bit salt when generating a hash.

This change applies to the following password storage schemes:

PBKDF2
PBKDF2-HMAC-SHA256
PBKDF2-HMAC-SHA512
Salted MD5
Salted SHA-1
Salted SHA-256
Salted SHA-384
Salted SHA-512

Rehash passwords

You can now configure BCrypt and PBKDF2-based password storage schemes to recalculate password hashes after the iterations settings are changed. DS servers recalculate and store an account’s password hash when the user binds successfully with their password.

For details regarding BCrypt and PBKDF2-based schemes, refer to the reference for the property rehash-policy.

Password quality advice

DS servers support a new control to request password quality advice when changing a password. Should the request fail due to low password quality, the response control indicates which password validator settings led to the failure.

The ldappasswordmodify and ldapmodify commands support the new control. Use them to test and debug password policy validation settings.

The new LDAP control has interface stability Evolving. It may be removed in a future release, or replaced with a more general mechanism.

For details, refer to Check password quality (LDAP), and Check password quality (REST).

Performance
Faster export

The export-ldif command can now complete an export up to twice as fast as before. This improvement is particularly useful with large data sets including tens or hundreds of millions of entries.

Faster REST to LDAP performance

DS servers now perform better for REST to LDAP searches, and operations that rely on ETags for MVCC.

Proxy
Mutual TLS with LDAP servers

The setup command now lets a proxy backend bind to remote servers with mutual TLS. The setup profile for a proxy server configures the server to use mutual TLS to authenticate when binding to backend servers. As a result, you must provision the key manager for the proxy with the proxy service account keys, and include the certificate in the proxy user account when using the DS proxy server setup profile.

For details, refer to Install a directory proxy.

DS proxied server

When setting up new DS replicas, use the ds-proxied-server setup profile to prepare the replicas for use with new DS proxy servers.

For details, refer to Install DS for use with DS proxy.

REST
Path references

REST to LDAP mappings now support references by resource paths, simplifying access to all resource fields. REST clients can use this to issue graph-like queries. For example, the following path and query filter returns the groups that Babs Jensen’s manager belongs to:

/users/bjensen?_fields=/manager/group

For an example, refer to Graph-like queries.

To demonstrate this feature, the sample REST to LDAP mapping now uses resource paths. The configuration is simpler than the configuration with base DN references.

For example, this excerpt shows a manager reference from the version that uses a base DN:

{
  "manager": {
    "type": "reference",
    "ldapAttribute": "manager",
    "baseDn": "..",
    "primaryKey": "uid",
    "mapper": {
      "type": "object",
      "properties": {
        "_id": {
          "type": "simple",
          "ldapAttribute": "uid",
          "isRequired": true
        },
        "displayName": {
          "type": "simple",
          "ldapAttribute": "cn",
          "writability": "readOnlyDiscardWrites"
        }
      }
    }
  }
}

The same manager reference using a resource path now looks like this:

{
  "manager": {
    "type": "reference",
    "resourcePath": ".."
  }
}

The latter definition ensures access to all fields defined for the referenced resource.

Reverse references

REST to LDAP mappings now support reverse references.

Reverse references are similar to the isMemberOf LDAP attribute used for groups. For example, use a reference mapping to list a user’s devices, or to list a manager’s reports:

{
  "reports": {
    "type": "reverseReference",
    "resourcePath": "..",
    "propertyName": "manager"
  }
}

For an example in context, refer to Reverse references.

Password quality advice

REST to LDAP now supports passwordQualityAdvice and dryRun query string parameters.

The passwordQualityAdvice parameter relies on the DS LDAP password quality advice control, OID 1.3.6.1.4.1.36733.2.1.5.5, which users must have access to request. The dryRun parameter relies on the LDAP no-op control, OID 1.3.6.1.4.1.4203.1.10.2.

The password quality advice control and the passwordQualityAdvice parameter have interface stability: Evolving. They may be removed in a future release, or replaced with a more general mechanism.

For details, refer to Check password quality.

Account usability support

REST to LDAP now includes an accountUsability action.

For details, refer to Account usability action.

SASL EXTERNAL and SASL SCRAM support

The REST to LDAP gateway now supports SASL EXTERNAL and SASL SCRAM binds.

For details, refer to LDAP connection factories.

Per-Server password policies over REST

DS servers now let you create per-server (configuration-based) password policies over REST.

For an example, refer to Per-server password policies.

Replication
Replication at setup time

The setup command now lets you configure replication at setup time.

You no longer need to get all peer servers running before configuring replication. The server begins replicating with peer servers when it comes online, and when it can contact the peers. For this reason, the setup command no longer starts the server by default. To ensure replication proceeds smoothly from the beginning, finish configuring the server before starting it for the first time.

These new setup command options enable replication:

  • When you set the -r, --replicationPort option, the server runs a replication service and maintains a changelog.

    If you add local application data at setup time, the server replicates the data with other replicas. There is no need to configure and initialize replication separately.

  • When you set the --bootstrapReplicationServer option, the server contacts the specified replication server(s) to discover peer replicas and replication servers. This option is required when replicating between multiple servers.

    Use this option multiple times to specify redundant bootstrap servers for availability. Specify the same list of bootstrap servers each time you set up a replica.

    Your first bootstrap server(s) must have replication ports, because the first bootstrap server(s) must play the replication server role.

For examples, refer to Installation.

New command to manage replication

After configuring servers to replicate as part of the setup process, use the new dsrepl command to manage replication.

For details, refer to Replication.

String-based server IDs

DS 7.0.0 lets you set server IDs to alphanumeric strings, such as ds1-us-west.

When you set a server ID, take care to choose a relatively short string.

The server ID appears in historical data values that include a change sequence number. For example, it shows up in monitoring metrics, and in the values of ds-sync-state and ds-sync-hist attributes in application data on DS replicas. As a result, historical data is potentially easier to interpret, but larger than in previous versions where server IDs were numbers.

One server ID per server

Servers are now identified by a single, global server ID. For details, refer to server-id.

For new servers, use the setup command to specify the server ID, or accept the generated default string.

For existing servers, the upgrade command derives the ID in the following way:

The command the existing global server ID, if available.
Otherwise, the command uses the first server ID found in cn=admin data.

Other server ID values are no longer used.

If replication has not yet been configured, the command generates a new ID for the server.
One group ID per server

Servers now have a single, global group ID. For details, refer to group-id.

For existing servers with group IDs, the upgrade command determines which ID is used most, and uses that ID as the single, global ID.

Replication delay metrics

DS 7.0.0 introduces replication receive delay and replay delay monitoring metrics. These metrics provide the best means yet to help you estimate whether the data in your directory server replicas is converging toward a consistent state.

For details, refer to Replication delay (LDAP), or Replication delay (Prometheus).

Replay performance

DS 7.0.0 improves replication replay performance, reduces disk space used by the replication changelog database, and reduces replication delay in deployments under extreme load.

Replication of offline LDIF changes

Servers now replicate changes made offline to an LDIF backend. The server replicates the offline changes once it starts again.

Automatic purge of stale replicas

DS 7.0.0 purges out-of-date replicas from the changelog. The replica is purged when it has been out of contact for longer than the replication purge delay.

This enables DS servers to eventually discard information about replicas that you have removed from service, for example.

You can also use the dsrepl purge-meta-data to eliminate stale historical data. For details, refer to Manual purge.

Exclude domains from changelog indexes

DS 7.0.0 introduces a new replication server property to exclude domains from the changelog indexes, changelog-enabled-excluded-domains. Use this to prevent applications that read the external change log from having to process update notifications for entries that are not relevant to them.

This property eliminates the need for a separate external changelog domain configuration.

For an example, refer to Exclude a domain.

CTS excluded from changelog indexing

The am-cts setup profile now excludes the CTS base DN from change number indexing.

There is no need to update the changelog configuration manually after installing a new DS replica for as a CTS store.

More details about unresolved conflicts

DS servers now log additional information about naming conflicts, which helps you identify the server that generated the conflicting operation.

Samples
Sample for building custom Docker images

The DS server distribution now includes a sample Dockerfile and related files for building custom DS Docker images.

Updated sample for Grafana and Prometheus

The DS server distribution now includes an updated sample monitoring dashboard for use with Grafana and Prometheus.

Schema
Require TRUE or FALSE boolean values

DS servers now support an option to require strict compliance for boolean attribute values.

By default, DS servers accept a range of values for boolean attributes. For details, refer to strict-format-boolean.

Security
Secure by default

Default settings for new DS servers are more secure than before.

The explicit --productionMode option has been removed, as server configurations and profiles are now secure by default. New server installations require:

Secure connections

All operations except bind requests and StartTLS requests, and base object searches on the root DSE, require secure connections.

This behavior is governed by the global configuration property, unauthenticated-requests-policy, which is now set to allow-discovery, instead of allow, unless the last setup profile applied is the ds-evaluation profile.

For details on securing connections, refer to Secure connections.

Authentication

By default, servers deny anonymous access to most LDAP operations, controls, and extended operations.

For details on access control, refer to Access control.

Additional access policies

By default, servers deny access to directory data. You must configure access policies to grant access to directory data. For details on granting access, refer to Access control.

Only the evaluation setup profile is more lenient. It grants global permission to perform operations over insecure connections, and open access to sample Example.com data. For details, refer to Install DS for evaluation.

Stronger passwords

Passwords must have at least 8 characters. Common passwords are rejected.

For details on changing password policy, refer to Passwords.

Permission to read log files

Log files are now read/write only by the DS server user.

For details on log file permissions, refer to File permissions.

As the upgrade process preserves the existing configuration, upgraded servers are not affected.

Simple private PKI

The setup and dskeymgr commands simplify creation and management of a public key infrastructure (PKI).

DS 7.0.0 introduces the concept of a deployment ID and deployment ID password. The deployment ID and password serve as an alternative to a private CA, simplifying evaluation, development, and testing, and managing directory services. They also serve to derive a shared master key to protect secret keys. The deployment ID and password are required as part of the setup process. For details, refer to Cryptographic keys.

When you use an existing CA, you can continue to use key pairs with CA-signed certificates.

For public-facing directory services, you can continue to configure connection handlers with additional key and trust manager providers using certificates signed by a well-known CA. For details, refer to Key management.

To manage deployment keys, key pairs, CA certificates, and master keys after setting up a server, use the dskeymgr command.

Many examples in the documentation now demonstrate use of deployment IDs and passwords.

Keystores reload without restart

DS servers now reload file-based keystores and truststores when their contents change.

This lets you rotate certificates and keys without restarting the key manager or trust manager components.

Simple key rotation

DS 7.0.0 greatly simplifies rotating the key pairs used to secure replication connections. By default, replication now uses the same keys as the other connection handlers.

For details on changing key pairs, refer to Key management.

Alternative PKCS#11 types

PKCS#11 key managers and trust managers now let you set the keystore or truststore type. The default type is PKCS11.

If your JVM supports other types, set the keystore or truststore type with one of the following properties:

  • key-store-type

  • trust-store-type

Multiple trust managers

The following configuration objects can now reference multiple objects:

  • Administration connector

  • HTTP connection handler

  • LDAP connection handler

Use this feature to allow trust for both well-known CAs whose certificates are stored in the JVM truststore, and internal or deployment-specific CAs whose certificates are stored in a separate truststore.

Multiple certificate mappers

An external SASL mechanism handler can now reference multiple certificate-mapper configurations.

The server uses the first certificate mapper that finds a successful match.

Indexes for certificate attributes

When you create a user data backend using the ds-user-data setup profile, the setup process now configures equality indexes for the ds-certificate-fingerprint and ds-certificate-subject-dn attributes.

Certificate mappers use these indexes during certificate-based authentication.

Richer access log messages

DS servers now record additional items in access log messages when multiple password policy subentries apply to a user. The messages are logged only for bind, add, and modify operations. The messages show the DN of the user having more than one applicable policy, and the DN of the policy the server actually used for the operation.

The server logs a message such as the following for a bind request with two conflicting policies:

"additionalItems":{"pwdpolicywarning":"Found 2 conflicting password policy subentries for user <user-dn>,
used <policy-dn>","ssf":"0"}

As described in Assign password policies, you must not assign more than one password policy to the same account.

Tools
New setup-profile command

A new command, setup-profile, enables configuration of setup profiles following initial installation. Use the setup-profile command when the server is offline.

This command is intended for use in DevOps deployments where you apply additional configuration to a base image that is the same for all deployments.

If you have changes that apply to each server you set up, you can create and maintain your own setup profile. For details, refer to Setup profiles.

Configurable domains and base DNs

All setup command profiles, except the ds-evaluation profile, now allow you to set the domain or the base DN.

For details, refer to Setup profiles.

Generate systemd service files

The create-rc-script command now produces a systemd service file when you use the --systemdService option.

Generate user entries for evaluation

The ds-evaluation setup profile now lets you generate an arbitrarily large number of similar user entries. By default, the profile adds 100,000 generated users in addition to users previously included, such as Babs Jensen and Kirsten Vaughan.

Each user entry has a uid RDN like user.number. Each user entry’s password is password.

The capability replaces the setup command option -d, --sampleData.

Proxied authorization for rate tools

The addrate, modrate, and searchrate commands now support proxied authorization with the -Y, --proxyAs {authzID} option.

Support for formatted integers

Formatted integers can now be supplied to some integer arguments, making commands easier to read.

When setting the number of generated sample entries as an argument to the setup command, and when setting integer arguments for the addrate, authrate, modrate, and searchrate commands, you can now use formatted integers.

For example, the following are equivalent to 10000000:

10,000,000
10.000.000
"10'000'000"
10_000_000
"10 000 000"

Templates for the makeldif command can also accept formatted integers for numbers declared in a subordinate template.

Task management

The manage-tasks command now has --status and --type options.

When used with the --summary option, these options filter the list to include only tasks of the specified type and status. The option arguments are case-insensitive, and must be provided in the JVM locale.

For example, to list only unscheduled tasks on a JVM with the French locale, use --status "non planifié" instead of --status unscheduled.

Set task IDs and descriptions

When you schedule a task, you can now set its identifier with the --taskId option, and its description with the --description option. The identifiers and descriptions appear in output and messages that describe the task.

These new options are especially useful for recurring tasks. Use the task identifier when managing the task in subsequent commands, for example.

No changes when reading JE backends offline

The following tools now never write to JE backend databases when reading JE information:

  • backendstat

  • export-ldif

  • verify-index

Status output improvements

The status command now displays the same types of information independently of the server configuration, and regardless of whether the command runs in online or offline mode.

The command still displays more detailed information in online mode than in offline mode.

Supportextract improvements

  • The supportextract command now also collects:

    • The directory superuser and monitor user account files.

    • The archived configuration files.

    • The profile and backend database version files.

    • Information about the changelog database.

    • The server.out log file before capturing stack traces.

    • The server PID in a message in the tool’s log.

    • The cpuinfo, meminfo, slabinfo, and buddyinfo files on Linux systems.

    • Stack traces with jcmd tool, falling back to the jstack tool, and then to sigquit (or kill -3 on Linux) as necessary.

    • Environment variables used in configuration expressions.

  • The extract generated by the tool is now compatible with the Java 11 JVM unified logging framework.

Byte-by-byte LDIF comparisons

The ldifdiff command now supports a new -x, --exactMatch option for byte-by-byte LDIF comparisons.

This is useful for comparing LDAP schema files, for example.

DS 6.5.6

DS 6.5.6 is the final release targeted for DS 6.5.x deployments and can be downloaded from the download page.

DS 6.5.6 can be deployed as an initial deployment or updated from an existing DS 6.5.x deployment.

  • The supportextract command now collects environment variables used in configuration expressions.

DS 6.5.5

  • DS servers now more effectively calculate reservable memory when using G1 garbage collection, and reduce the risk of long fsync pauses.

    This change introduces a ds-mon-db-cache-size-total metric to track the maximum size of the database cache. It also changes the ds-mon-db-log-size-active metric to reflect only live data.

  • The supportextract command now uses the jcmd command, if available, for heap dumps. Otherwise, it uses the jmap command.

DS 6.5.4

There are no new features introduced in DS 6.5.4, only bug fixes.

DS 6.5.3

DS servers now support storing the ads-certificate key pair and peer DS servers' trusted public keys in a PKCS#11 module, such as a hardware security module (HSM). This means you can store the keys used to secure replication traffic and to protect symmetric keys in an HSM. Previously, DS servers supported use of a PKCS#11 module only to store the keys used to secure other communications.

DS servers support PKCS#11 modules through the JVM. How to configure the JVM to allow DS servers to use your module, how to generate keys in the module, and how to export and import public key certificates all depend on your specific HSM/PKCS#11 module.

For details on how to perform such actions, refer to your PKCS#11 module’s documentation.

Before trying this feature, perform these tests:

  • Test that the PKCS#11 module supports multiple aliases for the same certificate.

  • Test that the PKCS#11 module supports generating a key pair with an RSA self-signed certificate and a key size of 2048 bits.

  • Test the replication topology using the default JKS ads-truststore implementation.

    Verify that replication functions properly before using the PKCS#11 module.

After validating the results of the tests, use the new feature by performing these steps for each server:

  1. Configure JVM security to enable use of the PKCS#11 module for the server.

  2. Generate a key pair using an RSA self-signed certificate and a key size of 2048 bits with the alias ads-certificate on the PKCS#11 module.

  3. After generating the key pair:

    1. Export the ads-certificate certificate, and reimport it on the PKCS#11 module using the MD5 fingerprint as the certificate alias.

      For example, if the ads-certificate certificate MD5 fingerprint is 07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C, reimport the certificate with the alias 073580D8F3CEE1399CD073DB6CFACC1C.

    2. Prepare LDIF to update cn=admin data for the new certificate.

      The LDIF adds the new certificate as an instance key, and sets the key ID for the current server to use the key. In the following example LDIF, the certificate alias is 073580D8F3CEE1399CD073DB6CFACC1C, and the server hostname:_admin-port_ combination is opendj.example.com:4444:

      dn: ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,cn=instance keys, cn=admin data
changetype: add
ds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C
ds-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA
QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl
LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ
0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
CBiQKBgQCfGLAiUOz4sC8CM9T5DPTk9V9ErNC8N59XwBt1aN7UjhQl4/JZZsetubtUrZBLS9cRrnYdZ
cpFgLQNEmXifS+PdZ0DJkaLNFmd8ZX0spX8++fb4SkkggkmNRmi1fccDQ/DHMlwl7kk884lXummrzcD
GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o
7IvpE7jGVZh6KvM0m5sBNX3wPbTVJQNij3TDm8nx6yhi6DUkpiAZfz/OBL5k+WSw80TjpIZ2+klhP1s
srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q
objectClass: top
objectClass: ds-cfg-instance-key

dn: cn=opendj.example.com:4444,cn=Servers,cn=admin data
changetype: modify
replace: ds-cfg-key-id
ds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C

      Do not yet update cn=admin data. You must not change the server key ID until the server is ready to use the PKCS#11 module.

  4. Edit the ads-truststore trust manager provider configuration to access the PKCS#11 module with the following properties:

    trust-store-file

    Leave this unchanged.

    trust-store-pin

    Set this to the PIN for the PKCS#11 module.

    You can avoid exposing secrets in the configuration by using expressions. For details, refer to Property value substitution.

    trust-store-type

    Set this to PKCS11.

  5. Stop the DS server.

  6. Using the ldifmodify command while the server is stopped, update cn=admin data for the server with the LDIF you prepared.

    This step changes the key ID for the server, letting it use its keys held in the PKCS#11 module.

  7. On another, running server replica, use the ldapmodify command to update cn=admin data for the server with the LDIF you prepared.

    Replication propagates the change to the other running server replicas.

    This step changes the key ID for the server, letting other servers trust its new certificate once it restarts.

  8. Restart the DS server.

DS 6.5.2

There are no new features introduced in DS 6.5.2, only bug fixes.

DS 6.5.1

There are no new features introduced in DS 6.5.1, only bug fixes.

DS 6.5.0

Connection limiting

DS servers now allow you to limit the number of concurrent connections per client.

For details, refer to Connection limits.

Data distribution

DS proxy servers now support simple, non-elastic data distribution.

You can configure a proxy server to equitably distribute LDAP write requests across multiple replication partitions to scale the directory service horizontally. As the present implementation does not permit elastic scaling or data redistribution, make sure that you understand the documented constraints of the present implementation before deploying it in production.

For details, refer to Data distribution.

Database caching

A new DS directory server uses shared cache by default for all JE database backends. As a result, you are no longer required to set the database cache size using the db-cache-percent or db-cache-size setting for each backend.

It remains possible to use these settings if necessary by configuring them appropriately.

Logging

  • DS servers now support sending access log messages to standard output.

    For details, refer to Log access to standard output.

    When the new handler is used, standard output from the server includes a mix of JSON for access messages and non-JSON DS-format server event messages.

  • Common audit logging now supports denying log message fields to prevent them from showing up in log messages.

    For an example, refer to Deny log message fields.

  • Common audit logging now supports writing multiple file-based logs to the same directory by setting a different log-file-name-prefix for each file-based log.

Monitoring

DS servers now provide health status checks for anonymous requests over HTTP and LDAP. This allows a remote application to check that a server is "alive" and "healthy".

Anonymous HTTP requests can retrieve "alive" and "healthy" status codes. Anonymous LDAP requests can retrieve "alive" and "healthy" boolean values.

The "alive" and "healthy" status indicates that the server has passed its own internal tests. It is not, however, a guarantee that the server is free from other errors. If a server is not "alive," it requires administrative intervention. If a server is not "healthy," temporarily route requests to another server.

When a server is not "alive" or "healthy," a user with privileges to read monitoring information receives health status error messages in the body of the HTTP response, and can obtain health status error messages over LDAP. No error messages are returned in response to anonymous requests.

For examples demonstrating how to use this feature, refer to Monitoring.

When you upgrade DS servers to 6.5.0, the anonymously accessible HTTP endpoints are not configured. To add the endpoints on an upgraded server that lacks them, use the dsconfig command:

$ dsconfig \
create-http-endpoint \
--endpoint-name /alive \
--type alive-endpoint \
--set enabled:true \
--set authorization-mechanism:HTTP Anonymous \
--set authorization-mechanism:HTTP Basic \
--hostname opendj.example.com \
--port 4444 \
--bindDN "cn=Directory Manager" \
--bindPassword password \
--trustAll \
--no-prompt

$ dsconfig \
create-http-endpoint \
--endpoint-name /healthy \
--type healthy-endpoint \
--set enabled:true \
--set authorization-mechanism:HTTP Anonymous \
--set authorization-mechanism:HTTP Basic \
--hostname opendj.example.com \
--port 4444 \
--bindDN "cn=Directory Manager" \
--bindPassword password \
--trustAll \
--no-prompt
Platform Integration

When setting up a directory server for use with other Ping Identity Platform component products, you can use available setup profiles to greatly simplify initial configuration.

For details, refer to Setup profiles.

Replication

When configuring a replication server on a multi-homed system with multiple IP addresses, you can now specify which listen addresses to use.

Set the property, listen-address, as shown in Listen addresses.

Support

The DS support extract command, supportextract, now ships with DS server software, making it easier to capture troubleshooting information.

The command works on all supported platforms.

For details, refer to supportextract.

DS 6.0.0

Backend database storage

  • Directory servers now use an optimized JE backend implementation whose dependencies are distributed under the Apache License, Version 2.0. This license is suitable for all deployments, including OEM deployments.

    Support for PDB backend databases has been removed in 6.0.0.

    Before upgrading a directory server using any PDB backends, take one of the following actions:

    • Move the data to JE backend databases before upgrading.

    • Export all data in PDB backend databases to LDIF before upgrading, and import the data into the JE backend databases with the same names after upgrading.

  • Backend indexes now have new time to live (TTL) properties to configure automated, optimized entry expiration and removal:

    • ttl-enabled

    • ttl-age

    For details on how to use this feature, refer to Entry expiration.

  • DS 6.0.0 upgrades JE backend databases to Berkeley DB Java Edition 7.5.11.

  • DS 6.0.0 improves many JE backend settings:

    • A new advanced property, db-durability, makes the backend durability setting easier to configure and to read.

    • New defaults for disk space thresholds better fit modern deployments.

      The property, disk-low-threshold, defaults to 5% of the filesystem size, plus 5 GB.

      The property, disk-full-threshold, defaults to 5% of the filesystem size, plus 1 GB.

    • Default limits for backend database log files better fit larger deployments.

      The property, db-log-file-max, defaults to 1 GB instead of 100 MB.

      The property, db-log-filecache-size, defaults to 200 instead of 100.

      As a result, the database can grow to 200 GB instead of 10 GB on disk before the file cache begins to close database log files in order to open others.

    • The new properties, db-run-log-verifier, and db-log-verifier-schedule, make it possible to configure whether and when the server runs checksum verification on backend database logs.

Configuration expressions

  • Server configuration expressions have been reimplemented to align with other Ping Identity Platform software. Configuration expressions make it possible to substitute configuration property values with variables that you can set before starting DS servers.

    For details, refer to Property value substitution.

Faster bulk updates

  • The ldapmodify and ldapdelete commands now offer a --numConnections option to perform updates in parallel on multiple LDAP connections.

    This feature enables faster bulk updates, and provides an alternative to the import-ldif --append option removed in version 3.0.

JSON support

  • In addition to optimized indexes for JSON attribute values that are queried with common REST query filters, DS directory servers now also support optimizations for JSON with optional fields.

Monitoring

  • DS server monitoring has been reimplemented to align with other Ping Identity Platform software.

    This change affects LDAP and HTTP monitoring interfaces, but not SNMP interfaces. The SNMP interface continues to use standard metrics.

    Monitoring capabilities now have interface stability Stable.

    For documentation about available interfaces and metrics, refer to Monitoring.

    DS servers now feature the following monitoring capabilities:

    • Support for pulling monitoring data to Prometheus monitoring software.

    • Support for pushing monitoring data to a Graphite service.

    • Support for creating a directory monitoring account during setup.

      When using JMX to monitor the server with this account, be aware that in 6.0.0 the account does not have JMX-related privileges. Instead, you must add the required JMX-related privileges, as described in JMX-based monitoring.

  • DS servers support a new privilege, monitor-read. This prevents unauthorized users from reading monitoring metrics unless they have the privilege.

    Assign this privilege to users who read monitoring metrics over LDAP or HTTP.

    When upgrading, add the missing privilege to the global administrator account. These privileges are required when using the dsreplication status command.

Performance

  • DS 6.0.0 includes many performance improvements.

    No DS server performance improvements require action on your part, though optimal tuning settings including JVM settings may now be different for specific scenarios.

    When upgrading to this release, be aware that the command-line performance tools have a new template value syntax.

Replication

  • DS servers now allow you to choose a single, global server ID used when configuring replication, rather than letting replication configuration randomly assign server IDs.

    Before configuring replication, you can set the global configuration property server-id.

    This makes it easier to keep track of server IDs when reviewing replication configuration, and to parameterize replication configuration in DevOps deployments.

  • DS directory servers store historical replication information for internal use in entries' ds-sync-hist attributes. This release introduces a new encoding that significantly reduces the space required to store ds-sync-hist data.

    The space reduction trades a smaller footprint for increased CPU use when preparing to write ds-sync-hist values. Read and search operations should not be negatively impacted, however. Indeed, read and search performance should improve to the extent that reduced entry size means more efficient use of backend database and CPU caches.

  • DS replication domains can now be disabled by setting enabled:false for the domain. If a replication domain is disabled, its contents are not replicated.

    This change facilitates parameterizing whether backends and associated replication domains are enabled, which is useful in DevOps deployments where not all environments replicate the same data on each replica.

Security

  • DS certificate mappers now support certificate issuer verification. Use this to verify the certificate issuer whenever multiple CAs are trusted in order to prevent impersonation. Different CAs can issue certificates with the same subject DN, but not with the same issuer DN.

    This feature relies on the certificate mapper property, issuer-attribute, to identify the attribute in the user entry that holds the issuer DN. For this purpose, DS servers define the attribute, ds-certificate-issuer-dn, as an optional attribute of the ds-certificate-user object class.

    For an example using this attribute, refer to Certificate-based authentication.

Server configuration

  • The dsconfig command now allows you to configure DS servers that are not running.

    DS 6.0.0 introduces an --offline option and a --configFile option. When you use the dsconfig --offline command with a DS server that is stopped, you change the server configuration file in the default location, such as /path/to/opendj/config/config.ldif. The --configFile option allows you to specify an alternative configuration file in offline mode.

Server-side sorting

  • JSON ordering matching rules for JSON attributes.

    DS servers can implement JSON ordering matching rules on demand. This enables REST to LDAP to support for _sortKeys where a field is inside the value of a JSON attribute.

  • An extension of the server-side sort request sort order specification.

  • A means for REST to LDAP to communicate the _sortKeys field that is inside the value of a JSON attribute to the DS server.

    This functionality is part of REST to LDAP. By using the useServerSideSortForJson boolean configuration parameter, you can configure whether to sort results in the REST to LDAP gateway.

  • A means for the REST to LDAP gateway to limit the maximum number of entries supported by the local sort mechanism when sorting results based on JSON attributes.

    The setting is localSortMaxEntries.

Unindexed Searches

DS directory servers now support the following improvements for unindexed searches. These improvements are designed to help applications that store data in the directory as arbitrary JSON objects, and that provide a graphical UI for browsing directory data accessed over REST. With these improvements, users can page through directory data, sorting on whichever JSON field they choose without initially specifying any filter.

As with any unindexed search that you allow, the tradeoff is inefficient use of system resources and less performance. This is not, therefore, a general capability that should be provided to all applications without taking the impact into consideration. It is intended for use by a directory data administrator who is browsing data without knowing in advance what they are looking for:

  • DS directory servers can now use an appropriately configured VLV index to sort results for an unindexed search.

  • DS directory servers sort unindexed search results as long as they are paged.

    This improvement has the following limitations:

    • The simple paged results control must specify a page size that is less than or equal to the index-entry-limit (default: 4000).

    • For each page, the server reads the entire backend database, retaining page size number of sorted entries.

DS 5.5.3

DS 5.5.3 is the final release targeted for DS 5.5.x deployments and can be downloaded from the download page.

DS 5.5.3 can be deployed as an initial deployment or updated from an existing DS 5.5.x deployment.

There are no new features introduced in DS 5.5.3, only bug fixes.

DS 5.5.2

There are no new features introduced in DS 5.5.2, only bug fixes.

DS 5.5.1

There are no new features introduced in DS 5.5.1, only bug fixes.

DS 5.5.0

Backend database storage

  • JE backend databases are upgraded to Berkeley DB Java Edition 7.4.5 in this release.

Directory proxy

  • Directory proxy servers now automatically retry operations when they detect a temporary failure on the remote directory server.

    For details, refer to About failures.

  • The new proxy backend property, heartbeat-search-request-base-dn, lets you configure proxy backend heartbeat requests to target an entry under a base DN of interest rather than targeting the root DSE.

  • When the global configuration property, trust-transaction-ids, is set to true, the proxy backend now adds a ForgeRock transaction ID control before forwarding the request, even if the incoming request did not include the control.

    As a result, all proxied requests have ForgeRock transaction IDs when you configure the server to trust transaction IDs.

Monitoring

  • Replication server configurations now include these advanced properties for monitoring disk space use and stopping operations when the disk is full:

    disk-low-threshold

    When this threshold is reached, the server logs warnings and sends warnings to the disk space monitoring subsystem.

    The directory administrator must take action to provide more disk space.

    disk-full-threshold

    When this threshold is reached, the server stops operations and lets connected directory servers fail over to another replication server. The replication server can resume operations once free disk space rises above the disk-low-threshold setting.

  • Servers and the REST to LDAP gateway now include a ForgeRock transaction ID with each request.

    If you do not configure the server or gateway to trust transaction IDs in client application requests, then they ignore incoming transaction IDs, and instead generate a transaction ID for each request.

    If you configure the server or gateway to trust transaction IDs in client application requests, then outgoing requests reuse the incoming transaction ID. For each outgoing request in the transaction, the request’s transaction ID has the form original-transaction-id/sequence-number, where sequence-number reflects the position of the request in the series of requests for this transaction. For example, if the original-transaction-id is abc123, the first outgoing request has transaction ID abc123/0, the second abc123/1, the third abc123/2, and so on. This helps you to distinguish specific requests within a transaction when correlating audit events from multiple services.

    To configure a server to trust transaction IDs in client application requests, set the global configuration property, trust-transaction-ids, to true.

    To configure the REST to LDAP gateway to trust transaction IDs in client application requests, set the JVM system property, org.forgerock.http.TrustTransactionHeader, to true in the web application container where the gateway runs.

  • When an internal search is unindexed, a directory server now logs a message.

REST to LDAP

  • REST APIs now support the _sortKeys parameter to request that the server sort the query results it returns.

  • REST to LDAP now uses the affinity load balancer.

Security

  • DS servers use SHA-256 as the signature algorithm when generating key pairs, as an attacker with sufficient computing power could break SHA-1.

    NIST Special Publication 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, generally disallows use of SHA-1 for digital signature generation.

  • DS servers now support using a PKCS#11 device, such as a hardware security module (HSM), as a truststore.

    When you use a PKCS#11 device as a truststore, all trusted certificates must be present on the device. No CA certificates are available by default. Import all the signing certificates required for your deployment before configuring the device for use as a truststore.

    To use an HSM as a truststore:

    1. Configure the JVM to allow access to the PKCS#11 device.

    2. Using the dsconfig command, create a PKCS#11 trust manager provider configuration to access the PKCS#11 device as a truststore.

Simplified replication server setup

  • Use the new setup replication-server command to set up a server as a standalone replication server.

    You can use this command to install standalone replication servers without specifying the base DNs to replicate.

Tools

  • The dsconfig command now allows you to switch to advanced mode while using the command interactively.

  • The setup --help command now presents options in sorted order.

Fixes

The following pages list important fixes in DS major or minor versions since 5.5.0.

Fixes in a version are cumulative.

For example, when an issue is fixed in DS 7.1.1, it is fixed in 7.1.2 and any later 7.1.x maintenance releases.

Fixes in 7.5.x

This page lists the cumulative fixes in DS 7.5.x releases since 5.5.0:

DS 7.5.1

  • OPENDJ-10482: Referential integrity plugin cannot be used with a big-extensible index

  • OPENDJ-10314: Change number indexing does not take into account excluded domains

  • OPENDJ-10082: Upgrade fails in Windows environment

  • OPENDJ-10032: Inconsistent password storage scheme rehash policies can create multiple userPassword values

DS 7.5.0

  • OPENDJ-10306: Null pointer exceptions due to unrecognized (UNKNOWN) requests

  • OPENDJ-10171: etag in schema config entry leads to schema violation error when attempting to update cn=schema

  • OPENDJ-10139: Replication status "TOO_LATE" does not mark DS as unhealthy

  • OPENDJ-10131: ds-mon-receive-delay metric is not working

  • OPENDJ-10078: Unable to use dsrepl initialize for cn=schema when 99-user.ldif only contains ds-sync-state entries

  • OPENDJ-9913: Bind via REST API ignores force-change-on-add in password policy

DS 7.4.0

  • OPENDJ-9692: Unindexed privilege not enforced for unindexed sorted and paged searches

  • OPENDJ-9680: Reduce Argon2 memory requirement

  • OPENDJ-9544: Searches for attributes that do not exist in schema still take time

  • OPENDJ-9524: create-rc-script: systemd service should run start-ds/stop-ds, and not write a wrapper init script

  • OPENDJ-9507: Enable GSSAPI/Kerberos to use wildcard principal

  • OPENDJ-8849: An isolated DS (no RS) should return UNAVAILABLE instead of UNWILLING_TO_PERFORM

  • OPENDJ-8796: Virtual attribute providers ignore critical controls, such as VLV, paging, and sorting

  • OPENDJ-8228: Updates for an entry in a replicated sub-suffix appear also in the changelog for its parent

DS 7.3.0

An issue was discovered in our recent release (version 7.3.0) that has the potential to corrupt static groups. To ensure data integrity, we highly recommend upgrading to the latest version, 7.3.1. This issue affects the stability and reliability of static groups only. Continuing to use version 7.3.0 may lead to data corruption and other unintended consequences.

DS version 7.3.1 and later include the necessary fixes; however if you deployed DS 7.3.0 with static groups, you must contact support for assistance with resolving the data corruption.

  • OPENDJ-9300: DS 7.3 upgrade requires a full index rebuild

  • OPENDJ-9295: Search involving BigIndex throws NoSuchElementException

  • OPENDJ-9272: Change number indexing state is logged too often

  • OPENDJ-9250: The max-allowed-client-connections limit should not apply to the admin connector

  • OPENDJ-9245: DS backup to an S3 bucket on a new region fails

  • OPENDJ-9213: The dsconfig list-replication-domains output contains redundant columns

  • OPENDJ-9204: RS ignores DS state and forwards changes DS has already seen

  • OPENDJ-9200: Backup process logs incorrect number of jdb files

  • OPENDJ-9183: Replicated request controls serialized in LDIF using V1 encoding

  • OPENDJ-9182: NPE in changelogstat on encountering a modify DN request

  • OPENDJ-9167: Reading isMemberOf after adding, deleting, or renaming a static group can block for a long time when there are many static groups

  • OPENDJ-9102: Log rotation stops once the File Count Retention Policy count is met

  • OPENDJ-9042: All worker threads blocked waiting for abandon operations to complete

  • OPENDJ-9041: Undeliverable unexpected exception while performing an abandon operation during server shutdown

  • OPENDJ-9033: DS refuses to start and throws an NPE when a subordinate-base-dn is used

  • OPENDJ-9032: The dsrepl --script-friendly option was never implemented and should not appear in the tool

  • OPENDJ-9020: Replicas should persist their ReplicaOfflineMsg unless they’re being recovered from the replication server

  • OPENDJ-9007: LoadBalancer availability check fails if the current bind user state is "bad"

  • OPENDJ-9002: Changelogstat outputs verbose CSNs for offline messages, but not other messages

  • OPENDJ-9000: Missing RS - RS heartbeats are not detected

  • OPENDJ-8992: A replica rejoining the topology after its changelog is purged is not tested for the correct server state

  • OPENDJ-8975: Modified file permissions for 99-user.ldif revert to 600 when DS is restarted

  • OPENDJ-8917: ReplicationBroker.java swallowed important debugging info

  • OPENDJ-8831: Log when and why the ChangeNumberIndexer cannot move forward

  • OPENDJ-8815: dsrepl status does not take bad data status into account

  • OPENDJ-8808: Potential deadlock between overlapping rename operations

  • OPENDJ-8779: Improve replica and changelog logging

  • OPENDJ-8378: dsrepl status shows deleted replication domains

  • OPENDJ-8233: RS connection error reason is not logged when hostname is not resolvable

  • OPENDJ-7942: The server ignores critical VLV request controls when falling back to an unindexed search

  • OPENDJ-7941: Client connections to proxy are timed out after 10 seconds regardless of activity

  • OPENDJ-7925: Searchrate does not retrieve data when used simultaneously with modrate on groups

  • OPENDJ-7688: Spurious DS disconnections because of missing heartbeat

  • OPENDJ-7640: Supportextract does not collect all security stores when several keystores have the same basename

  • OPENDJ-7516: External cn=changelog is not updated while replication initialization is in progress

  • OPENDJ-3409: Retention and rotation policies do not work with CAUD handlers

  • OPENDJ-3057: Replication Server starts listener although ChangeLog DB is unusable

DS 7.2.0

  • OPENDJ-8874: Full replica purge should write CSN information right away

  • OPENDJ-8829: Error messages incorrectly mentions cn=System,cn=monitor

  • OPENDJ-8805: dsconfig exits when setting the "bootstrap-replication-server" property with a <null> value in the "Replication Service Discovery Mechanism".

  • OPENDJ-8792: SDK: Log SSL exceptions as errors instead of warnings

  • OPENDJ-8778: Setup option --trustStorePassword:file behaves differently than --trustStorePasswordFile

  • OPENDJ-8727: HTTP embedded listener throws IllegalStateException: Output channel is not set

  • OPENDJ-8698: DS should write config archive files in a crash consistent way

  • OPENDJ-8610: RS-RS session thread stuck in Session.send could prevent DS from shutdown

  • OPENDJ-8548: Optimize scoping of indexed searches

  • OPENDJ-8532: Error running export-ldif offline: "DatabaseConfig.setReadOnly() must be set to false when creating a Database"

  • OPENDJ-8500: IllegalMonitorStateException after subtree read lock timeout when adding an entry

  • OPENDJ-8473: Upgrade does not migrate ds-cfg-je-property values

  • OPENDJ-8383: dsrepl status fails when certificates accepted interactively

  • OPENDJ-8280: DS will not start when using a non US Locale after changing config

  • OPENDJ-8254: dsbackup restore/list slow to complete with cloud storage

  • OPENDJ-8243: Indexes could cause ldapsearch to return multiple copies of the same entry

  • OPENDJ-8227: Deadlock between Changelog DB purger and Thread for RS session

  • OPENDJ-8226: Support Extract tool ignores non-default changelogDb location when collecting domains.state file

  • OPENDJ-8205: Log message lists an object’s string representation instead of a file name

  • OPENDJ-8137: LDIF backend silently rejects entries that fail schema validation

  • OPENDJ-8115: -Djavax.net.ssl.trustStore=<value> in OPENDJ_JAVA_ARGS throws NullPointerException

  • OPENDJ-8090: am-identity-store:7.1 setup profile is not functional

  • OPENDJ-8079: targattrsfilters expression does not work with 2 filters but permits 1 or more than 2 filters

  • OPENDJ-8062: Possible inconsistent state after backup restore

  • OPENDJ-8046: Changelog files are not closed after searching cn=changelog

  • OPENDJ-8028: Prometheus monitoring doesn’t work with Telegraf

  • OPENDJ-8024: Prevent configuration of VLV indexes with scope base-object

  • OPENDJ-8008: OutOfMemoryException in subtree delete

  • OPENDJ-7991: makeldif: "invalid number of arguments" using DateTime tag with colons

  • OPENDJ-7971: dsbackup fails when JDB file cleaned

  • OPENDJ-7970: Ensure that DS is crash resilient for all runtime file changes

  • OPENDJ-7889: Configuring group-id against DS-only instance requires restart for the change to be reported by monitoring

  • OPENDJ-7818: Package based upgrade does not support instances running as non-root

  • OPENDJ-7816: dsbackup fails when destination is a symbolic link to a real directory

  • OPENDJ-7755: DS 7.0 replication with older version, CryptoManager failed to import the symmetric key entry

  • OPENDJ-7744: dsrepl initialize in a topology with DS7 and DS 5.5 fails if DS7 serverId starts with 0

  • OPENDJ-7596: dsbackup has global connection options that do not work with some subcommands

  • OPENDJ-4935: Replication instability and divergence when using high latency disks

DS 7.1.0

  • OPENDJ-7928: JSON normalization cannot handle nested arrays

  • OPENDJ-7905: Schema replication error after upgrade

  • OPENDJ-7867: NPE if dsbackup bucket name contains underscores

  • OPENDJ-7851: Supportextract tool: clobbers the server.out filehandle when kill -3 is used.

  • OPENDJ-7847: StaticGroup’s objectclass sanity checks are unhelpful

  • OPENDJ-7810: JMX connections are always considered insecure

  • OPENDJ-7761: DS sporadically hangs while reconnecting to an RS

  • OPENDJ-7758: DS 7.0 dsrepl add-local-server-to-pre-7-0-topology: NPE if master-key is in different keystore

  • OPENDJ-7747: ldapmodify display full stack exception on LDIF errors if connection is already established

  • OPENDJ-7737: ConfigurationFramework#initialize0 changes the class loader without clearing the map of registered jar files

  • OPENDJ-7699: Supportextract throws NoSuchElementException when the server.pid file is empty

  • OPENDJ-7689: dsrepl add-local-server-to-pre-7-0-topology does not tolerate separate keystore and truststore

  • OPENDJ-7687: Global Access Control Policy regarding cn=schema is too restrictive

  • OPENDJ-7674: Migrating encrypted changelog files during upgrade fails

  • OPENDJ-7655: Replaying multiple MODIFYDN operations is very slow

  • OPENDJ-7612: replication divergence on CTS in the cloud

  • OPENDJ-7599: Cannot add a pre-encoded password to an entry without an existing password

  • OPENDJ-7554: Windows: Secrets not retrieved from :file command-line arguments

  • OPENDJ-7523: Example plugin and example pwdscheme pom.xml are missing correct revision

  • OPENDJ-7513: Missing subSchemaSubEntry attribute from rootDSE access controls

  • OPENDJ-7481: JSON logs do not contain proxy auth DN

  • OPENDJ-7474: Docker sample README.md provides wrong instructions for running the container

  • OPENDJ-7450: The startswith (sw) operator on indexed JSON attribute is slow

DS 7.0.0

  • OPENDJ-7319: Addrate can run out of memory when --deleteMode off and --noPurge are set

  • OPENDJ-7286: Changelog searches can start with incorrect cursors

  • OPENDJ-7176: Filters with malformed attribute descriptions cannot be parsed

  • OPENDJ-7115: DS does not start when deployed with ISTIO sidecar container in the GCP K8s cloud

  • OPENDJ-7016: status command outputs malformed JSON in script friendly mode

  • OPENDJ-6994: strict-format-country-string does not affect the server

  • OPENDJ-6787: Changelog searches are extremely slow if any cursors are exhausted

  • OPENDJ-6778: Proxy server mishandles abandon requests

  • OPENDJ-6733: SMTP handler sends incorrect email when account status is modified by manually updating ds-pwp-account-disabled attribute

  • OPENDJ-6711: Replication status reports The provided value "5277383431" could not be parsed as an integer.

  • OPENDJ-6557: IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11

  • OPENDJ-6540: The Supportextract hangs when loggers are configured to use /dev/stdout

  • OPENDJ-6527: Server does not return password policy responses with only warnings

  • OPENDJ-6521: setup checks admin port despite options --skipPortCheck --doNotStart

  • OPENDJ-6512: Problems when work queue fills

  • OPENDJ-6499: Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11

  • OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

  • OPENDJ-6349: "RuntimeException: Should never happen" in HttpClientConnection

  • OPENDJ-6240: DS not honoring per user resource limits when processing RESTful operation requests

  • OPENDJ-6235: Stale ds-sync-hist attribute values reappear in the entry after replication is unconfigured

  • OPENDJ-6222: SMTP messages are sometimes not encoded with the correct charset

  • OPENDJ-6221: Logging for CONNECT operations are not saved in Nanosecond format

  • OPENDJ-6196: HTTP connection handler continues to listen to 0.0.0.0 after setting listen-address

  • OPENDJ-6188: Backend returns an incorrect error type when disk space hits low threshold

  • OPENDJ-6173: cn=monitor memory pool stats do not get updated properly over time

  • OPENDJ-6116: Unspecified Communications Error when multiple rest2ldap endpoints share configuration elements

  • OPENDJ-5675: JDK11: supportextract tool cannot find jstack command

  • OPENDJ-5664: JDK 11: illegal reflective access warning during import-ldif

  • OPENDJ-5661: supportextract tool help and version options are different from other tools

  • OPENDJ-5660: JDK 11: illegal reflective access warning on setup (with profile)

  • OPENDJ-5611: Change number indexing can lag behind replication under extreme load

  • OPENDJ-5590: Proxy: server discovery fails silently when proxy base-dn differs from backend’s base-dn

  • OPENDJ-5584: Server does not validate sum of memory used by JE backend caches in all cases

  • OPENDJ-4764: REST2LDAP gateway sasl-plain authorization doesn’t handle dn: correctly

  • OPENDJ-4714: SSL handshake now sends 16KB list of CA issuer DNs

  • OPENDJ-3121: Setup fails to create the lib/extensions directory in the instance.loc path, if a instance.loc file is used.

  • OPENDJ-2605: Debian packages should be idempotent

  • OPENDJ-1169: Exception/error lost when logging ERR_LOOP_REPLAYING_OPERATION

  • OPENDJ-640: Text Query Against indexed telephoneNumber Attribute Very Slow

DS 6.5.0

  • OPENDJ-5606: Upgrade to DS 6.0 fails if multiple filesystems are involved

  • OPENDJ-5594: StackOverflowError with groupOfURLs when isMemberOf is requested

  • OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

  • OPENDJ-5558: SDK: LdapUrl is not IPv6 clean

  • OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

  • OPENDJ-5496: DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

  • OPENDJ-5481: ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

  • OPENDJ-5406: Duplicate entry DNs if entry is deleted and then added during export-ldif or dsreplication initialize

  • OPENDJ-5293: Proxy: Replication Service Discovery Mechanism logs WARNING

  • OPENDJ-5272: "idle-time-limit" global configuration property has no effect

  • OPENDJ-5210: Possible memory-leak if request received while bind in progress

  • OPENDJ-5140: PersistentSearch heap usage grows

  • OPENDJ-5137: Reading compressed or encrypted entries fails to close the InflaterInputStream

  • OPENDJ-5115: ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory

  • OPENDJ-4967: Rest2ldap UndeliverableException occurs when a referenced entity cannot be fetched

  • OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

  • OPENDJ-4881: Updates via Rest2ldap fail if record does not contain the necessary object class

  • OPENDJ-4852: Backup with --backupAll misses a few backends

  • OPENDJ-4625: Changelog range searches miss entries

  • OPENDJ-4589: dsconfig --offline is not case-insensitive

  • OPENDJ-4325: Changelog searches requesting changelogCookie are very slow

  • OPENDJ-4229: status command with keystore options throws NullPointerException

  • OPENDJ-3480: Updating schema backend properties while it is enabled leaves schema backend in broken state

  • OPENDJ-3343: Invalid Conflict resolution on Add sequence when Parent & Child are added on different replica

  • OPENDJ-3341: REST to LDAP gateway: HTTP response for API description is empty

  • OPENDJ-3153: REST to LDAP gateway: changing password fails when using proxied authorization

  • OPENDJ-2356: verify-index displays an inappropriate error message when run in online mode

DS 6.0.0

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4943: NullPointerException in BackupManager.java when backup --hash is used offline

  • OPENDJ-4845: Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

  • OPENDJ-4823: Adding a third replica breaks key ordering of the changelogDb

  • OPENDJ-4729: WorkerThread is blocked in BlockingBackpressureOperator after disconnection

  • OPENDJ-4725: Cannot reset change-log change number

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4587: Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

  • OPENDJ-4559: All worker threads blocked on ReentrantReadWriteLock in GroupManager

  • OPENDJ-4557: isMemberOf search result excludes entries' operational attributes

  • OPENDJ-4555: Server not responding

  • OPENDJ-4533: NullPointerException in TTL reaper

  • OPENDJ-4497: ttl-enabling an index requires a restart

  • OPENDJ-4485: MODRDN with a blank newrdn: value is not rejected.

  • OPENDJ-4464: Collective attributes do not consider if an attribute is single or multi-valued.

  • OPENDJ-4296: Rebuilding index on two backends at the same time causes NPE

  • OPENDJ-4210: Cannot import/export LDIF in offline mode after configuring Password Synchronization Plugin

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-3896: Change number indexer exits due to uncaught IllegalStateException

  • OPENDJ-3878: Example plugin POM has wrong parent and is missing repositories

  • OPENDJ-3504: LDAP bytesRead/Written and SNMP counters (dsApplIfInBytes and dsApplIfOutBytes) are not incremented

  • OPENDJ-3437: Cannot delete access log publisher when it is disabled

  • OPENDJ-1881: OPENDJ JMX monitoring report statistics as type String instead of Number

  • OPENDJ-1158: rebuild-index leaves backend offline if a backup is running

  • OPENDJ-934: Changes to RS window-size property require a server restart

  • OPENDJ-431: Server-side sort control only works on result sets of less than 100000 entries

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Fixes in 7.4.x

This page lists the cumulative fixes in DS 7.4.x releases since 5.5.0:

DS 7.4.3

  • OPENDJ-10838: Change Number Indexer stops indexing when a Replication Server recovers from disk full errors

  • OPENDJ-10314: Change number indexing does not take into account excluded domains

  • OPENDJ-10082: Upgrade fails in Windows environment

  • OPENDJ-10032: Inconsistent password storage scheme rehash policies can create multiple userPassword values

DS 7.4.2

  • OPENDJ-10139: Replication status "TOO_LATE" does not mark DS as unhealthy

  • OPENDJ-10131: ds-mon-receive-delay metric is not working

  • OPENDJ-10078: Unable to use dsrepl initialize for cn=schema when 99-user.ldif only contains ds-sync-state entries

DS 7.4.1

  • OPENDJ-10211: Upgrading to DS 7.4.0 with a backend with confidentiality enabled fails

  • OPENDJ-9999: DS uses encrypt/decrypt for key wrapping instead of wrap/unwrap

  • OPENDJ-9966: ds-sync-delay and ds-sync-is-available are not correctly specified in schema

  • OPENDJ-9917: VirtualListView limits returned entries when used with an attr#USERDN ACI

DS 7.4.0

  • OPENDJ-9692: Unindexed privilege not enforced for unindexed sorted and paged searches

  • OPENDJ-9680: Reduce Argon2 memory requirement

  • OPENDJ-9544: Searches for attributes that do not exist in schema still take time

  • OPENDJ-9524: create-rc-script: systemd service should run start-ds/stop-ds, and not write a wrapper init script

  • OPENDJ-9507: Enable GSSAPI/Kerberos to use wildcard principal

  • OPENDJ-8849: An isolated DS (no RS) should return UNAVAILABLE instead of UNWILLING_TO_PERFORM

  • OPENDJ-8796: Virtual attribute providers ignore critical controls, such as VLV, paging, and sorting

  • OPENDJ-8228: Updates for an entry in a replicated sub-suffix appear also in the changelog for its parent

DS 7.3.0

An issue was discovered in our recent release (version 7.3.0) that has the potential to corrupt static groups. To ensure data integrity, we highly recommend upgrading to the latest version, 7.3.1. This issue affects the stability and reliability of static groups only. Continuing to use version 7.3.0 may lead to data corruption and other unintended consequences.

DS version 7.3.1 and later include the necessary fixes; however if you deployed DS 7.3.0 with static groups, you must contact support for assistance with resolving the data corruption.

  • OPENDJ-9300: DS 7.3 upgrade requires a full index rebuild

  • OPENDJ-9295: Search involving BigIndex throws NoSuchElementException

  • OPENDJ-9272: Change number indexing state is logged too often

  • OPENDJ-9250: The max-allowed-client-connections limit should not apply to the admin connector

  • OPENDJ-9245: DS backup to an S3 bucket on a new region fails

  • OPENDJ-9213: The dsconfig list-replication-domains output contains redundant columns

  • OPENDJ-9204: RS ignores DS state and forwards changes DS has already seen

  • OPENDJ-9200: Backup process logs incorrect number of jdb files

  • OPENDJ-9183: Replicated request controls serialized in LDIF using V1 encoding

  • OPENDJ-9182: NPE in changelogstat on encountering a modify DN request

  • OPENDJ-9167: Reading isMemberOf after adding, deleting, or renaming a static group can block for a long time when there are many static groups

  • OPENDJ-9102: Log rotation stops once the File Count Retention Policy count is met

  • OPENDJ-9042: All worker threads blocked waiting for abandon operations to complete

  • OPENDJ-9041: Undeliverable unexpected exception while performing an abandon operation during server shutdown

  • OPENDJ-9033: DS refuses to start and throws an NPE when a subordinate-base-dn is used

  • OPENDJ-9032: The dsrepl --script-friendly option was never implemented and should not appear in the tool

  • OPENDJ-9020: Replicas should persist their ReplicaOfflineMsg unless they’re being recovered from the replication server

  • OPENDJ-9007: LoadBalancer availability check fails if the current bind user state is "bad"

  • OPENDJ-9002: Changelogstat outputs verbose CSNs for offline messages, but not other messages

  • OPENDJ-9000: Missing RS - RS heartbeats are not detected

  • OPENDJ-8992: A replica rejoining the topology after its changelog is purged is not tested for the correct server state

  • OPENDJ-8975: Modified file permissions for 99-user.ldif revert to 600 when DS is restarted

  • OPENDJ-8917: ReplicationBroker.java swallowed important debugging info

  • OPENDJ-8831: Log when and why the ChangeNumberIndexer cannot move forward

  • OPENDJ-8815: dsrepl status does not take bad data status into account

  • OPENDJ-8808: Potential deadlock between overlapping rename operations

  • OPENDJ-8779: Improve replica and changelog logging

  • OPENDJ-8378: dsrepl status shows deleted replication domains

  • OPENDJ-8233: RS connection error reason is not logged when hostname is not resolvable

  • OPENDJ-7942: The server ignores critical VLV request controls when falling back to an unindexed search

  • OPENDJ-7941: Client connections to proxy are timed out after 10 seconds regardless of activity

  • OPENDJ-7925: Searchrate does not retrieve data when used simultaneously with modrate on groups

  • OPENDJ-7688: Spurious DS disconnections because of missing heartbeat

  • OPENDJ-7640: Supportextract does not collect all security stores when several keystores have the same basename

  • OPENDJ-7516: External cn=changelog is not updated while replication initialization is in progress

  • OPENDJ-3409: Retention and rotation policies do not work with CAUD handlers

  • OPENDJ-3057: Replication Server starts listener although ChangeLog DB is unusable

DS 7.2.0

  • OPENDJ-8874: Full replica purge should write CSN information right away

  • OPENDJ-8829: Error messages incorrectly mentions cn=System,cn=monitor

  • OPENDJ-8805: dsconfig exits when setting the "bootstrap-replication-server" property with a <null> value in the "Replication Service Discovery Mechanism".

  • OPENDJ-8792: SDK: Log SSL exceptions as errors instead of warnings

  • OPENDJ-8778: Setup option --trustStorePassword:file behaves differently than --trustStorePasswordFile

  • OPENDJ-8727: HTTP embedded listener throws IllegalStateException: Output channel is not set

  • OPENDJ-8698: DS should write config archive files in a crash consistent way

  • OPENDJ-8610: RS-RS session thread stuck in Session.send could prevent DS from shutdown

  • OPENDJ-8548: Optimize scoping of indexed searches

  • OPENDJ-8532: Error running export-ldif offline: "DatabaseConfig.setReadOnly() must be set to false when creating a Database"

  • OPENDJ-8500: IllegalMonitorStateException after subtree read lock timeout when adding an entry

  • OPENDJ-8473: Upgrade does not migrate ds-cfg-je-property values

  • OPENDJ-8383: dsrepl status fails when certificates accepted interactively

  • OPENDJ-8280: DS will not start when using a non US Locale after changing config

  • OPENDJ-8254: dsbackup restore/list slow to complete with cloud storage

  • OPENDJ-8243: Indexes could cause ldapsearch to return multiple copies of the same entry

  • OPENDJ-8227: Deadlock between Changelog DB purger and Thread for RS session

  • OPENDJ-8226: Support Extract tool ignores non-default changelogDb location when collecting domains.state file

  • OPENDJ-8205: Log message lists an object’s string representation instead of a file name

  • OPENDJ-8137: LDIF backend silently rejects entries that fail schema validation

  • OPENDJ-8115: -Djavax.net.ssl.trustStore=<value> in OPENDJ_JAVA_ARGS throws NullPointerException

  • OPENDJ-8090: am-identity-store:7.1 setup profile is not functional

  • OPENDJ-8079: targattrsfilters expression does not work with 2 filters but permits 1 or more than 2 filters

  • OPENDJ-8062: Possible inconsistent state after backup restore

  • OPENDJ-8046: Changelog files are not closed after searching cn=changelog

  • OPENDJ-8028: Prometheus monitoring doesn’t work with Telegraf

  • OPENDJ-8024: Prevent configuration of VLV indexes with scope base-object

  • OPENDJ-8008: OutOfMemoryException in subtree delete

  • OPENDJ-7991: makeldif: "invalid number of arguments" using DateTime tag with colons

  • OPENDJ-7971: dsbackup fails when JDB file cleaned

  • OPENDJ-7970: Ensure that DS is crash resilient for all runtime file changes

  • OPENDJ-7889: Configuring group-id against DS-only instance requires restart for the change to be reported by monitoring

  • OPENDJ-7818: Package based upgrade does not support instances running as non-root

  • OPENDJ-7816: dsbackup fails when destination is a symbolic link to a real directory

  • OPENDJ-7755: DS 7.0 replication with older version, CryptoManager failed to import the symmetric key entry

  • OPENDJ-7744: dsrepl initialize in a topology with DS7 and DS 5.5 fails if DS7 serverId starts with 0

  • OPENDJ-7596: dsbackup has global connection options that do not work with some subcommands

  • OPENDJ-4935: Replication instability and divergence when using high latency disks

DS 7.1.0

  • OPENDJ-7928: JSON normalization cannot handle nested arrays

  • OPENDJ-7905: Schema replication error after upgrade

  • OPENDJ-7867: NPE if dsbackup bucket name contains underscores

  • OPENDJ-7851: Supportextract tool: clobbers the server.out filehandle when kill -3 is used.

  • OPENDJ-7847: StaticGroup’s objectclass sanity checks are unhelpful

  • OPENDJ-7810: JMX connections are always considered insecure

  • OPENDJ-7761: DS sporadically hangs while reconnecting to an RS

  • OPENDJ-7758: DS 7.0 dsrepl add-local-server-to-pre-7-0-topology: NPE if master-key is in different keystore

  • OPENDJ-7747: ldapmodify display full stack exception on LDIF errors if connection is already established

  • OPENDJ-7737: ConfigurationFramework#initialize0 changes the class loader without clearing the map of registered jar files

  • OPENDJ-7699: Supportextract throws NoSuchElementException when the server.pid file is empty

  • OPENDJ-7689: dsrepl add-local-server-to-pre-7-0-topology does not tolerate separate keystore and truststore

  • OPENDJ-7687: Global Access Control Policy regarding cn=schema is too restrictive

  • OPENDJ-7674: Migrating encrypted changelog files during upgrade fails

  • OPENDJ-7655: Replaying multiple MODIFYDN operations is very slow

  • OPENDJ-7612: replication divergence on CTS in the cloud

  • OPENDJ-7599: Cannot add a pre-encoded password to an entry without an existing password

  • OPENDJ-7554: Windows: Secrets not retrieved from :file command-line arguments

  • OPENDJ-7523: Example plugin and example pwdscheme pom.xml are missing correct revision

  • OPENDJ-7513: Missing subSchemaSubEntry attribute from rootDSE access controls

  • OPENDJ-7481: JSON logs do not contain proxy auth DN

  • OPENDJ-7474: Docker sample README.md provides wrong instructions for running the container

  • OPENDJ-7450: The startswith (sw) operator on indexed JSON attribute is slow

DS 7.0.0

  • OPENDJ-7319: Addrate can run out of memory when --deleteMode off and --noPurge are set

  • OPENDJ-7286: Changelog searches can start with incorrect cursors

  • OPENDJ-7176: Filters with malformed attribute descriptions cannot be parsed

  • OPENDJ-7115: DS does not start when deployed with ISTIO sidecar container in the GCP K8s cloud

  • OPENDJ-7016: status command outputs malformed JSON in script friendly mode

  • OPENDJ-6994: strict-format-country-string does not affect the server

  • OPENDJ-6787: Changelog searches are extremely slow if any cursors are exhausted

  • OPENDJ-6778: Proxy server mishandles abandon requests

  • OPENDJ-6733: SMTP handler sends incorrect email when account status is modified by manually updating ds-pwp-account-disabled attribute

  • OPENDJ-6711: Replication status reports The provided value "5277383431" could not be parsed as an integer.

  • OPENDJ-6557: IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11

  • OPENDJ-6540: The Supportextract hangs when loggers are configured to use /dev/stdout

  • OPENDJ-6527: Server does not return password policy responses with only warnings

  • OPENDJ-6521: setup checks admin port despite options --skipPortCheck --doNotStart

  • OPENDJ-6512: Problems when work queue fills

  • OPENDJ-6499: Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11

  • OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

  • OPENDJ-6349: "RuntimeException: Should never happen" in HttpClientConnection

  • OPENDJ-6240: DS not honoring per user resource limits when processing RESTful operation requests

  • OPENDJ-6235: Stale ds-sync-hist attribute values reappear in the entry after replication is unconfigured

  • OPENDJ-6222: SMTP messages are sometimes not encoded with the correct charset

  • OPENDJ-6221: Logging for CONNECT operations are not saved in Nanosecond format

  • OPENDJ-6196: HTTP connection handler continues to listen to 0.0.0.0 after setting listen-address

  • OPENDJ-6188: Backend returns an incorrect error type when disk space hits low threshold

  • OPENDJ-6173: cn=monitor memory pool stats do not get updated properly over time

  • OPENDJ-6116: Unspecified Communications Error when multiple rest2ldap endpoints share configuration elements

  • OPENDJ-5675: JDK11: supportextract tool cannot find jstack command

  • OPENDJ-5664: JDK 11: illegal reflective access warning during import-ldif

  • OPENDJ-5661: supportextract tool help and version options are different from other tools

  • OPENDJ-5660: JDK 11: illegal reflective access warning on setup (with profile)

  • OPENDJ-5611: Change number indexing can lag behind replication under extreme load

  • OPENDJ-5590: Proxy: server discovery fails silently when proxy base-dn differs from backend’s base-dn

  • OPENDJ-5584: Server does not validate sum of memory used by JE backend caches in all cases

  • OPENDJ-4764: REST2LDAP gateway sasl-plain authorization doesn’t handle dn: correctly

  • OPENDJ-4714: SSL handshake now sends 16KB list of CA issuer DNs

  • OPENDJ-3121: Setup fails to create the lib/extensions directory in the instance.loc path, if a instance.loc file is used.

  • OPENDJ-2605: Debian packages should be idempotent

  • OPENDJ-1169: Exception/error lost when logging ERR_LOOP_REPLAYING_OPERATION

  • OPENDJ-640: Text Query Against indexed telephoneNumber Attribute Very Slow

DS 6.5.0

  • OPENDJ-5606: Upgrade to DS 6.0 fails if multiple filesystems are involved

  • OPENDJ-5594: StackOverflowError with groupOfURLs when isMemberOf is requested

  • OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

  • OPENDJ-5558: SDK: LdapUrl is not IPv6 clean

  • OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

  • OPENDJ-5496: DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

  • OPENDJ-5481: ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

  • OPENDJ-5406: Duplicate entry DNs if entry is deleted and then added during export-ldif or dsreplication initialize

  • OPENDJ-5293: Proxy: Replication Service Discovery Mechanism logs WARNING

  • OPENDJ-5272: "idle-time-limit" global configuration property has no effect

  • OPENDJ-5210: Possible memory-leak if request received while bind in progress

  • OPENDJ-5140: PersistentSearch heap usage grows

  • OPENDJ-5137: Reading compressed or encrypted entries fails to close the InflaterInputStream

  • OPENDJ-5115: ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory

  • OPENDJ-4967: Rest2ldap UndeliverableException occurs when a referenced entity cannot be fetched

  • OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

  • OPENDJ-4881: Updates via Rest2ldap fail if record does not contain the necessary object class

  • OPENDJ-4852: Backup with --backupAll misses a few backends

  • OPENDJ-4625: Changelog range searches miss entries

  • OPENDJ-4589: dsconfig --offline is not case-insensitive

  • OPENDJ-4325: Changelog searches requesting changelogCookie are very slow

  • OPENDJ-4229: status command with keystore options throws NullPointerException

  • OPENDJ-3480: Updating schema backend properties while it is enabled leaves schema backend in broken state

  • OPENDJ-3343: Invalid Conflict resolution on Add sequence when Parent & Child are added on different replica

  • OPENDJ-3341: REST to LDAP gateway: HTTP response for API description is empty

  • OPENDJ-3153: REST to LDAP gateway: changing password fails when using proxied authorization

  • OPENDJ-2356: verify-index displays an inappropriate error message when run in online mode

DS 6.0.0

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4943: NullPointerException in BackupManager.java when backup --hash is used offline

  • OPENDJ-4845: Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

  • OPENDJ-4823: Adding a third replica breaks key ordering of the changelogDb

  • OPENDJ-4729: WorkerThread is blocked in BlockingBackpressureOperator after disconnection

  • OPENDJ-4725: Cannot reset change-log change number

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4587: Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

  • OPENDJ-4559: All worker threads blocked on ReentrantReadWriteLock in GroupManager

  • OPENDJ-4557: isMemberOf search result excludes entries' operational attributes

  • OPENDJ-4555: Server not responding

  • OPENDJ-4533: NullPointerException in TTL reaper

  • OPENDJ-4497: ttl-enabling an index requires a restart

  • OPENDJ-4485: MODRDN with a blank newrdn: value is not rejected.

  • OPENDJ-4464: Collective attributes do not consider if an attribute is single or multi-valued.

  • OPENDJ-4296: Rebuilding index on two backends at the same time causes NPE

  • OPENDJ-4210: Cannot import/export LDIF in offline mode after configuring Password Synchronization Plugin

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-3896: Change number indexer exits due to uncaught IllegalStateException

  • OPENDJ-3878: Example plugin POM has wrong parent and is missing repositories

  • OPENDJ-3504: LDAP bytesRead/Written and SNMP counters (dsApplIfInBytes and dsApplIfOutBytes) are not incremented

  • OPENDJ-3437: Cannot delete access log publisher when it is disabled

  • OPENDJ-1881: OPENDJ JMX monitoring report statistics as type String instead of Number

  • OPENDJ-1158: rebuild-index leaves backend offline if a backup is running

  • OPENDJ-934: Changes to RS window-size property require a server restart

  • OPENDJ-431: Server-side sort control only works on result sets of less than 100000 entries

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Fixes in 7.3.x

This page lists the cumulative fixes in DS 7.3.x releases since 5.5.0:

DS 7.3.5

  • OPENDJ-10139: Replication status "TOO_LATE" does not mark DS as unhealthy

  • OPENDJ-10131: ds-mon-receive-delay metric is not working

  • OPENDJ-10078: Unable to use dsrepl initialize for cn=schema when 99-user.ldif only contains ds-sync-state entries

  • OPENDJ-5041: Set resource limits according to proxyAs user instead of the bindDN

DS 7.3.4

  • OPENDJ-9999: DS uses encrypt/decrypt for key wrapping instead of wrap/unwrap

  • OPENDJ-9917: VirtualListView limits returned entries when used with an attr#USERDN ACI

  • OPENDJ-8796: Virtual attribute providers ignore critical controls, such as VLV, paging, and sorting

DS 7.3.3

  • OPENDJ-9828: Deadlock in big index

  • OPENDJ-9798: Recreated indexes are considered trusted when empty

  • OPENDJ-9790: Cannot create GeneralizedTimes with large fractional values

  • OPENDJ-9773: Slow startup when using multiple backends with static groups

  • OPENDJ-9272: Change number indexing state is logged too often

  • OPENDJ-9158: AM User/CTS affinity failover doesn’t happen when DS’s disk volume is detached

  • OPENDJ-6791: RS reconnect delay is too aggressive

DS 7.3.2

  • OPENDJ-9587: ChangeNumberIndexer unable to advance even after proper shutdown of the replica

  • OPENDJ-9472: Upgrade does not correctly handle previously patched upgrades

DS 7.3.1

  • OPENDJ-9550: Problem with entryUUIDs and operational attributes of static groups

  • OPENDJ-9473: The bindPasswordFile (bindPassword:file) option cannot be used with a tools.properties file

  • OPENDJ-9358: ACI: (userdn = "ldap:///anyone" and not userdn = "ldap:///all") captures authenticated users and should not

DS 7.3.0

An issue was discovered in our recent release (version 7.3.0) that has the potential to corrupt static groups. To ensure data integrity, we highly recommend upgrading to the latest version, 7.3.1. This issue affects the stability and reliability of static groups only. Continuing to use version 7.3.0 may lead to data corruption and other unintended consequences.

DS version 7.3.1 and later include the necessary fixes; however if you deployed DS 7.3.0 with static groups, you must contact support for assistance with resolving the data corruption.

  • OPENDJ-9300: DS 7.3 upgrade requires a full index rebuild

  • OPENDJ-9295: Search involving BigIndex throws NoSuchElementException

  • OPENDJ-9272: Change number indexing state is logged too often

  • OPENDJ-9250: The max-allowed-client-connections limit should not apply to the admin connector

  • OPENDJ-9245: DS backup to an S3 bucket on a new region fails

  • OPENDJ-9213: The dsconfig list-replication-domains output contains redundant columns

  • OPENDJ-9204: RS ignores DS state and forwards changes DS has already seen

  • OPENDJ-9200: Backup process logs incorrect number of jdb files

  • OPENDJ-9183: Replicated request controls serialized in LDIF using V1 encoding

  • OPENDJ-9182: NPE in changelogstat on encountering a modify DN request

  • OPENDJ-9167: Reading isMemberOf after adding, deleting, or renaming a static group can block for a long time when there are many static groups

  • OPENDJ-9102: Log rotation stops once the File Count Retention Policy count is met

  • OPENDJ-9042: All worker threads blocked waiting for abandon operations to complete

  • OPENDJ-9041: Undeliverable unexpected exception while performing an abandon operation during server shutdown

  • OPENDJ-9033: DS refuses to start and throws an NPE when a subordinate-base-dn is used

  • OPENDJ-9032: The dsrepl --script-friendly option was never implemented and should not appear in the tool

  • OPENDJ-9020: Replicas should persist their ReplicaOfflineMsg unless they’re being recovered from the replication server

  • OPENDJ-9007: LoadBalancer availability check fails if the current bind user state is "bad"

  • OPENDJ-9002: Changelogstat outputs verbose CSNs for offline messages, but not other messages

  • OPENDJ-9000: Missing RS - RS heartbeats are not detected

  • OPENDJ-8992: A replica rejoining the topology after its changelog is purged is not tested for the correct server state

  • OPENDJ-8975: Modified file permissions for 99-user.ldif revert to 600 when DS is restarted

  • OPENDJ-8917: ReplicationBroker.java swallowed important debugging info

  • OPENDJ-8831: Log when and why the ChangeNumberIndexer cannot move forward

  • OPENDJ-8815: dsrepl status does not take bad data status into account

  • OPENDJ-8808: Potential deadlock between overlapping rename operations

  • OPENDJ-8779: Improve replica and changelog logging

  • OPENDJ-8378: dsrepl status shows deleted replication domains

  • OPENDJ-8233: RS connection error reason is not logged when hostname is not resolvable

  • OPENDJ-7942: The server ignores critical VLV request controls when falling back to an unindexed search

  • OPENDJ-7941: Client connections to proxy are timed out after 10 seconds regardless of activity

  • OPENDJ-7925: Searchrate does not retrieve data when used simultaneously with modrate on groups

  • OPENDJ-7688: Spurious DS disconnections because of missing heartbeat

  • OPENDJ-7640: Supportextract does not collect all security stores when several keystores have the same basename

  • OPENDJ-7516: External cn=changelog is not updated while replication initialization is in progress

  • OPENDJ-3409: Retention and rotation policies do not work with CAUD handlers

  • OPENDJ-3057: Replication Server starts listener although ChangeLog DB is unusable

DS 7.2.0

  • OPENDJ-8874: Full replica purge should write CSN information right away

  • OPENDJ-8829: Error messages incorrectly mentions cn=System,cn=monitor

  • OPENDJ-8805: dsconfig exits when setting the "bootstrap-replication-server" property with a <null> value in the "Replication Service Discovery Mechanism".

  • OPENDJ-8792: SDK: Log SSL exceptions as errors instead of warnings

  • OPENDJ-8778: Setup option --trustStorePassword:file behaves differently than --trustStorePasswordFile

  • OPENDJ-8727: HTTP embedded listener throws IllegalStateException: Output channel is not set

  • OPENDJ-8698: DS should write config archive files in a crash consistent way

  • OPENDJ-8610: RS-RS session thread stuck in Session.send could prevent DS from shutdown

  • OPENDJ-8548: Optimize scoping of indexed searches

  • OPENDJ-8532: Error running export-ldif offline: "DatabaseConfig.setReadOnly() must be set to false when creating a Database"

  • OPENDJ-8500: IllegalMonitorStateException after subtree read lock timeout when adding an entry

  • OPENDJ-8473: Upgrade does not migrate ds-cfg-je-property values

  • OPENDJ-8383: dsrepl status fails when certificates accepted interactively

  • OPENDJ-8280: DS will not start when using a non US Locale after changing config

  • OPENDJ-8254: dsbackup restore/list slow to complete with cloud storage

  • OPENDJ-8243: Indexes could cause ldapsearch to return multiple copies of the same entry

  • OPENDJ-8227: Deadlock between Changelog DB purger and Thread for RS session

  • OPENDJ-8226: Support Extract tool ignores non-default changelogDb location when collecting domains.state file

  • OPENDJ-8205: Log message lists an object’s string representation instead of a file name

  • OPENDJ-8137: LDIF backend silently rejects entries that fail schema validation

  • OPENDJ-8115: -Djavax.net.ssl.trustStore=<value> in OPENDJ_JAVA_ARGS throws NullPointerException

  • OPENDJ-8090: am-identity-store:7.1 setup profile is not functional

  • OPENDJ-8079: targattrsfilters expression does not work with 2 filters but permits 1 or more than 2 filters

  • OPENDJ-8062: Possible inconsistent state after backup restore

  • OPENDJ-8046: Changelog files are not closed after searching cn=changelog

  • OPENDJ-8028: Prometheus monitoring doesn’t work with Telegraf

  • OPENDJ-8024: Prevent configuration of VLV indexes with scope base-object

  • OPENDJ-8008: OutOfMemoryException in subtree delete

  • OPENDJ-7991: makeldif: "invalid number of arguments" using DateTime tag with colons

  • OPENDJ-7971: dsbackup fails when JDB file cleaned

  • OPENDJ-7970: Ensure that DS is crash resilient for all runtime file changes

  • OPENDJ-7889: Configuring group-id against DS-only instance requires restart for the change to be reported by monitoring

  • OPENDJ-7818: Package based upgrade does not support instances running as non-root

  • OPENDJ-7816: dsbackup fails when destination is a symbolic link to a real directory

  • OPENDJ-7755: DS 7.0 replication with older version, CryptoManager failed to import the symmetric key entry

  • OPENDJ-7744: dsrepl initialize in a topology with DS7 and DS 5.5 fails if DS7 serverId starts with 0

  • OPENDJ-7596: dsbackup has global connection options that do not work with some subcommands

  • OPENDJ-4935: Replication instability and divergence when using high latency disks

DS 7.1.0

  • OPENDJ-7928: JSON normalization cannot handle nested arrays

  • OPENDJ-7905: Schema replication error after upgrade

  • OPENDJ-7867: NPE if dsbackup bucket name contains underscores

  • OPENDJ-7851: Supportextract tool: clobbers the server.out filehandle when kill -3 is used.

  • OPENDJ-7847: StaticGroup’s objectclass sanity checks are unhelpful

  • OPENDJ-7810: JMX connections are always considered insecure

  • OPENDJ-7761: DS sporadically hangs while reconnecting to an RS

  • OPENDJ-7758: DS 7.0 dsrepl add-local-server-to-pre-7-0-topology: NPE if master-key is in different keystore

  • OPENDJ-7747: ldapmodify display full stack exception on LDIF errors if connection is already established

  • OPENDJ-7737: ConfigurationFramework#initialize0 changes the class loader without clearing the map of registered jar files

  • OPENDJ-7699: Supportextract throws NoSuchElementException when the server.pid file is empty

  • OPENDJ-7689: dsrepl add-local-server-to-pre-7-0-topology does not tolerate separate keystore and truststore

  • OPENDJ-7687: Global Access Control Policy regarding cn=schema is too restrictive

  • OPENDJ-7674: Migrating encrypted changelog files during upgrade fails

  • OPENDJ-7655: Replaying multiple MODIFYDN operations is very slow

  • OPENDJ-7612: replication divergence on CTS in the cloud

  • OPENDJ-7599: Cannot add a pre-encoded password to an entry without an existing password

  • OPENDJ-7554: Windows: Secrets not retrieved from :file command-line arguments

  • OPENDJ-7523: Example plugin and example pwdscheme pom.xml are missing correct revision

  • OPENDJ-7513: Missing subSchemaSubEntry attribute from rootDSE access controls

  • OPENDJ-7481: JSON logs do not contain proxy auth DN

  • OPENDJ-7474: Docker sample README.md provides wrong instructions for running the container

  • OPENDJ-7450: The startswith (sw) operator on indexed JSON attribute is slow

DS 7.0.0

  • OPENDJ-7319: Addrate can run out of memory when --deleteMode off and --noPurge are set

  • OPENDJ-7286: Changelog searches can start with incorrect cursors

  • OPENDJ-7176: Filters with malformed attribute descriptions cannot be parsed

  • OPENDJ-7115: DS does not start when deployed with ISTIO sidecar container in the GCP K8s cloud

  • OPENDJ-7016: status command outputs malformed JSON in script friendly mode

  • OPENDJ-6994: strict-format-country-string does not affect the server

  • OPENDJ-6787: Changelog searches are extremely slow if any cursors are exhausted

  • OPENDJ-6778: Proxy server mishandles abandon requests

  • OPENDJ-6733: SMTP handler sends incorrect email when account status is modified by manually updating ds-pwp-account-disabled attribute

  • OPENDJ-6711: Replication status reports The provided value "5277383431" could not be parsed as an integer.

  • OPENDJ-6557: IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11

  • OPENDJ-6540: The Supportextract hangs when loggers are configured to use /dev/stdout

  • OPENDJ-6527: Server does not return password policy responses with only warnings

  • OPENDJ-6521: setup checks admin port despite options --skipPortCheck --doNotStart

  • OPENDJ-6512: Problems when work queue fills

  • OPENDJ-6499: Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11

  • OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

  • OPENDJ-6349: "RuntimeException: Should never happen" in HttpClientConnection

  • OPENDJ-6240: DS not honoring per user resource limits when processing RESTful operation requests

  • OPENDJ-6235: Stale ds-sync-hist attribute values reappear in the entry after replication is unconfigured

  • OPENDJ-6222: SMTP messages are sometimes not encoded with the correct charset

  • OPENDJ-6221: Logging for CONNECT operations are not saved in Nanosecond format

  • OPENDJ-6196: HTTP connection handler continues to listen to 0.0.0.0 after setting listen-address

  • OPENDJ-6188: Backend returns an incorrect error type when disk space hits low threshold

  • OPENDJ-6173: cn=monitor memory pool stats do not get updated properly over time

  • OPENDJ-6116: Unspecified Communications Error when multiple rest2ldap endpoints share configuration elements

  • OPENDJ-5675: JDK11: supportextract tool cannot find jstack command

  • OPENDJ-5664: JDK 11: illegal reflective access warning during import-ldif

  • OPENDJ-5661: supportextract tool help and version options are different from other tools

  • OPENDJ-5660: JDK 11: illegal reflective access warning on setup (with profile)

  • OPENDJ-5611: Change number indexing can lag behind replication under extreme load

  • OPENDJ-5590: Proxy: server discovery fails silently when proxy base-dn differs from backend’s base-dn

  • OPENDJ-5584: Server does not validate sum of memory used by JE backend caches in all cases

  • OPENDJ-4764: REST2LDAP gateway sasl-plain authorization doesn’t handle dn: correctly

  • OPENDJ-4714: SSL handshake now sends 16KB list of CA issuer DNs

  • OPENDJ-3121: Setup fails to create the lib/extensions directory in the instance.loc path, if a instance.loc file is used.

  • OPENDJ-2605: Debian packages should be idempotent

  • OPENDJ-1169: Exception/error lost when logging ERR_LOOP_REPLAYING_OPERATION

  • OPENDJ-640: Text Query Against indexed telephoneNumber Attribute Very Slow

DS 6.5.0

  • OPENDJ-5606: Upgrade to DS 6.0 fails if multiple filesystems are involved

  • OPENDJ-5594: StackOverflowError with groupOfURLs when isMemberOf is requested

  • OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

  • OPENDJ-5558: SDK: LdapUrl is not IPv6 clean

  • OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

  • OPENDJ-5496: DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

  • OPENDJ-5481: ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

  • OPENDJ-5406: Duplicate entry DNs if entry is deleted and then added during export-ldif or dsreplication initialize

  • OPENDJ-5293: Proxy: Replication Service Discovery Mechanism logs WARNING

  • OPENDJ-5272: "idle-time-limit" global configuration property has no effect

  • OPENDJ-5210: Possible memory-leak if request received while bind in progress

  • OPENDJ-5140: PersistentSearch heap usage grows

  • OPENDJ-5137: Reading compressed or encrypted entries fails to close the InflaterInputStream

  • OPENDJ-5115: ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory

  • OPENDJ-4967: Rest2ldap UndeliverableException occurs when a referenced entity cannot be fetched

  • OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

  • OPENDJ-4881: Updates via Rest2ldap fail if record does not contain the necessary object class

  • OPENDJ-4852: Backup with --backupAll misses a few backends

  • OPENDJ-4625: Changelog range searches miss entries

  • OPENDJ-4589: dsconfig --offline is not case-insensitive

  • OPENDJ-4325: Changelog searches requesting changelogCookie are very slow

  • OPENDJ-4229: status command with keystore options throws NullPointerException

  • OPENDJ-3480: Updating schema backend properties while it is enabled leaves schema backend in broken state

  • OPENDJ-3343: Invalid Conflict resolution on Add sequence when Parent & Child are added on different replica

  • OPENDJ-3341: REST to LDAP gateway: HTTP response for API description is empty

  • OPENDJ-3153: REST to LDAP gateway: changing password fails when using proxied authorization

  • OPENDJ-2356: verify-index displays an inappropriate error message when run in online mode

DS 6.0.0

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4943: NullPointerException in BackupManager.java when backup --hash is used offline

  • OPENDJ-4845: Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

  • OPENDJ-4823: Adding a third replica breaks key ordering of the changelogDb

  • OPENDJ-4729: WorkerThread is blocked in BlockingBackpressureOperator after disconnection

  • OPENDJ-4725: Cannot reset change-log change number

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4587: Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

  • OPENDJ-4559: All worker threads blocked on ReentrantReadWriteLock in GroupManager

  • OPENDJ-4557: isMemberOf search result excludes entries' operational attributes

  • OPENDJ-4555: Server not responding

  • OPENDJ-4533: NullPointerException in TTL reaper

  • OPENDJ-4497: ttl-enabling an index requires a restart

  • OPENDJ-4485: MODRDN with a blank newrdn: value is not rejected.

  • OPENDJ-4464: Collective attributes do not consider if an attribute is single or multi-valued.

  • OPENDJ-4296: Rebuilding index on two backends at the same time causes NPE

  • OPENDJ-4210: Cannot import/export LDIF in offline mode after configuring Password Synchronization Plugin

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-3896: Change number indexer exits due to uncaught IllegalStateException

  • OPENDJ-3878: Example plugin POM has wrong parent and is missing repositories

  • OPENDJ-3504: LDAP bytesRead/Written and SNMP counters (dsApplIfInBytes and dsApplIfOutBytes) are not incremented

  • OPENDJ-3437: Cannot delete access log publisher when it is disabled

  • OPENDJ-1881: OPENDJ JMX monitoring report statistics as type String instead of Number

  • OPENDJ-1158: rebuild-index leaves backend offline if a backup is running

  • OPENDJ-934: Changes to RS window-size property require a server restart

  • OPENDJ-431: Server-side sort control only works on result sets of less than 100000 entries

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Fixes in 7.2.x

This page lists the cumulative fixes in DS 7.2.x releases since 5.5.0:

DS 7.2.5

  • OPENDJ-10139: Replication status "TOO_LATE" does not mark DS as unhealthy

  • OPENDJ-10131: ds-mon-receive-delay metric is not working

  • OPENDJ-10032: Inconsistent password storage scheme rehash policies can create multiple userPassword values

  • OPENDJ-5041: Set resource limits according to proxyAs user instead of the bindDN

DS 7.2.4

  • OPENDJ-9999: DS uses encrypt/decrypt for key wrapping instead of wrap/unwrap

  • OPENDJ-8796: Virtual attribute providers ignore critical controls, such as VLV, paging, and sorting

DS 7.2.3

  • OPENDJ-9828: Deadlock in big index

  • OPENDJ-9587: ChangeNumberIndexer unable to advance even after proper shutdown of the replica

  • OPENDJ-9472: Upgrade does not correctly handle previously patched upgrades

  • OPENDJ-9419: Disaster recovery must delete all domain states from the changelog

  • OPENDJ-9200: Backup process logs incorrect number of jdb files

  • OPENDJ-9158: AM User/CTS affinity failover doesn’t happen when DS’s disk volume is detached

  • OPENDJ-8975: Modified file permissions for 99-user.ldif revert to 600 when DS is restarted

  • OPENDJ-7941: Client connections to proxy time out after 10 seconds regardless of activity

DS 7.2.2

  • OPENDJ-9358: ACI: (userdn = "ldap:///anyone" and not userdn = "ldap:///all") captures authenticated users and should not

  • OPENDJ-9347: GSSAPISASLMechanismHandler incorrectly formats the login conf file

  • OPENDJ-9315: Virtual static group does not contain all members of a target dynamic group

  • OPENDJ-9295: Search involving BigIndex throws NoSuchElementException

  • OPENDJ-9272: Change number indexing state is logged too often

  • OPENDJ-9245: DS backup to an S3 bucket on a new region fails

  • OPENDJ-9228: DS intermittently fails to stop due to TaskScheduler.writeLockEntry()

  • OPENDJ-9042: All worker threads blocked waiting for abandon operations to complete

DS 7.2.1

  • OPENDJ-9204: RS ignores DS state and forwards changes that DS has already seen

  • OPENDJ-9183: Replicated request controls serialized in LDIF using V1 encoding

  • OPENDJ-9182: NPE in changelogstat on encountering a modify DN request

  • OPENDJ-9102: Log rotation stops once the File Count Retention Policy count is met

  • OPENDJ-9042: All worker threads blocked waiting for abandon operations to complete

  • OPENDJ-9041: Undeliverable unexpected exception while performing an abandon operation during server shutdown

  • OPENDJ-9033: DS refuses to start and throws a NullPointerException when a subordinate-base-dn is used.

  • OPENDJ-9032: The dsrepl --script-friendly was never implemented and shouldn’t appear in the tool

  • OPENDJ-9020: Replicas should persist their ReplicaOfflineMsg unless they’re being recovered from the replication server

  • OPENDJ-9007: LoadBalancer availability check fails if the current bind user state is "bad"

  • OPENDJ-9002: Changelogstat outputs verbose CSNs for offline messages, but not other messages

  • OPENDJ-8992: Replica rejoining the topology after its changelog is purged is not tested for correct server state

  • OPENDJ-8917: ReplicationBroker.java swallowed important debugging info

  • OPENDJ-8831: Log when and why the ChangeNumberIndexer cannot move forward

  • OPENDJ-8815: dsrepl status does not take into account a status of Bad generation id

  • OPENDJ-8808: Potential deadlock between overlapping rename operations

  • OPENDJ-8779: Improve replica and changelog logging

  • OPENDJ-8378: dsrepl status shows deleted replication domains

  • OPENDJ-7688: Spurious DS disconnections because of missing heartbeat

  • OPENDJ-7640: Supportextract doesn’t collect all security store when several keystores have the same basename

  • OPENDJ-7516: External cn=changelog is not updated while replication initialization is in progress

DS 7.2.0

  • OPENDJ-8874: Full replica purge should write CSN information right away

  • OPENDJ-8829: Error messages incorrectly mentions cn=System,cn=monitor

  • OPENDJ-8805: dsconfig exits when setting the "bootstrap-replication-server" property with a <null> value in the "Replication Service Discovery Mechanism".

  • OPENDJ-8792: SDK: Log SSL exceptions as errors instead of warnings

  • OPENDJ-8778: Setup option --trustStorePassword:file behaves differently than --trustStorePasswordFile

  • OPENDJ-8727: HTTP embedded listener throws IllegalStateException: Output channel is not set

  • OPENDJ-8698: DS should write config archive files in a crash consistent way

  • OPENDJ-8610: RS-RS session thread stuck in Session.send could prevent DS from shutdown

  • OPENDJ-8548: Optimize scoping of indexed searches

  • OPENDJ-8532: Error running export-ldif offline: "DatabaseConfig.setReadOnly() must be set to false when creating a Database"

  • OPENDJ-8500: IllegalMonitorStateException after subtree read lock timeout when adding an entry

  • OPENDJ-8473: Upgrade does not migrate ds-cfg-je-property values

  • OPENDJ-8383: dsrepl status fails when certificates accepted interactively

  • OPENDJ-8280: DS will not start when using a non US Locale after changing config

  • OPENDJ-8254: dsbackup restore/list slow to complete with cloud storage

  • OPENDJ-8243: Indexes could cause ldapsearch to return multiple copies of the same entry

  • OPENDJ-8227: Deadlock between Changelog DB purger and Thread for RS session

  • OPENDJ-8226: Support Extract tool ignores non-default changelogDb location when collecting domains.state file

  • OPENDJ-8205: Log message lists an object’s string representation instead of a file name

  • OPENDJ-8137: LDIF backend silently rejects entries that fail schema validation

  • OPENDJ-8115: -Djavax.net.ssl.trustStore=<value> in OPENDJ_JAVA_ARGS throws NullPointerException

  • OPENDJ-8090: am-identity-store:7.1 setup profile is not functional

  • OPENDJ-8079: targattrsfilters expression does not work with 2 filters but permits 1 or more than 2 filters

  • OPENDJ-8062: Possible inconsistent state after backup restore

  • OPENDJ-8046: Changelog files are not closed after searching cn=changelog

  • OPENDJ-8028: Prometheus monitoring doesn’t work with Telegraf

  • OPENDJ-8024: Prevent configuration of VLV indexes with scope base-object

  • OPENDJ-8008: OutOfMemoryException in subtree delete

  • OPENDJ-7991: makeldif: "invalid number of arguments" using DateTime tag with colons

  • OPENDJ-7971: dsbackup fails when JDB file cleaned

  • OPENDJ-7970: Ensure that DS is crash resilient for all runtime file changes

  • OPENDJ-7889: Configuring group-id against DS-only instance requires restart for the change to be reported by monitoring

  • OPENDJ-7818: Package based upgrade does not support instances running as non-root

  • OPENDJ-7816: dsbackup fails when destination is a symbolic link to a real directory

  • OPENDJ-7755: DS 7.0 replication with older version, CryptoManager failed to import the symmetric key entry

  • OPENDJ-7744: dsrepl initialize in a topology with DS7 and DS 5.5 fails if DS7 serverId starts with 0

  • OPENDJ-7596: dsbackup has global connection options that do not work with some subcommands

  • OPENDJ-4935: Replication instability and divergence when using high latency disks

DS 7.1.0

  • OPENDJ-7928: JSON normalization cannot handle nested arrays

  • OPENDJ-7905: Schema replication error after upgrade

  • OPENDJ-7867: NPE if dsbackup bucket name contains underscores

  • OPENDJ-7851: Supportextract tool: clobbers the server.out filehandle when kill -3 is used.

  • OPENDJ-7847: StaticGroup’s objectclass sanity checks are unhelpful

  • OPENDJ-7810: JMX connections are always considered insecure

  • OPENDJ-7761: DS sporadically hangs while reconnecting to an RS

  • OPENDJ-7758: DS 7.0 dsrepl add-local-server-to-pre-7-0-topology: NPE if master-key is in different keystore

  • OPENDJ-7747: ldapmodify display full stack exception on LDIF errors if connection is already established

  • OPENDJ-7737: ConfigurationFramework#initialize0 changes the class loader without clearing the map of registered jar files

  • OPENDJ-7699: Supportextract throws NoSuchElementException when the server.pid file is empty

  • OPENDJ-7689: dsrepl add-local-server-to-pre-7-0-topology does not tolerate separate keystore and truststore

  • OPENDJ-7687: Global Access Control Policy regarding cn=schema is too restrictive

  • OPENDJ-7674: Migrating encrypted changelog files during upgrade fails

  • OPENDJ-7655: Replaying multiple MODIFYDN operations is very slow

  • OPENDJ-7612: replication divergence on CTS in the cloud

  • OPENDJ-7599: Cannot add a pre-encoded password to an entry without an existing password

  • OPENDJ-7554: Windows: Secrets not retrieved from :file command-line arguments

  • OPENDJ-7523: Example plugin and example pwdscheme pom.xml are missing correct revision

  • OPENDJ-7513: Missing subSchemaSubEntry attribute from rootDSE access controls

  • OPENDJ-7481: JSON logs do not contain proxy auth DN

  • OPENDJ-7474: Docker sample README.md provides wrong instructions for running the container

  • OPENDJ-7450: The startswith (sw) operator on indexed JSON attribute is slow

DS 7.0.0

  • OPENDJ-7319: Addrate can run out of memory when --deleteMode off and --noPurge are set

  • OPENDJ-7286: Changelog searches can start with incorrect cursors

  • OPENDJ-7176: Filters with malformed attribute descriptions cannot be parsed

  • OPENDJ-7115: DS does not start when deployed with ISTIO sidecar container in the GCP K8s cloud

  • OPENDJ-7016: status command outputs malformed JSON in script friendly mode

  • OPENDJ-6994: strict-format-country-string does not affect the server

  • OPENDJ-6787: Changelog searches are extremely slow if any cursors are exhausted

  • OPENDJ-6778: Proxy server mishandles abandon requests

  • OPENDJ-6733: SMTP handler sends incorrect email when account status is modified by manually updating ds-pwp-account-disabled attribute

  • OPENDJ-6711: Replication status reports The provided value "5277383431" could not be parsed as an integer.

  • OPENDJ-6557: IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11

  • OPENDJ-6540: The Supportextract hangs when loggers are configured to use /dev/stdout

  • OPENDJ-6527: Server does not return password policy responses with only warnings

  • OPENDJ-6521: setup checks admin port despite options --skipPortCheck --doNotStart

  • OPENDJ-6512: Problems when work queue fills

  • OPENDJ-6499: Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11

  • OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

  • OPENDJ-6349: "RuntimeException: Should never happen" in HttpClientConnection

  • OPENDJ-6240: DS not honoring per user resource limits when processing RESTful operation requests

  • OPENDJ-6235: Stale ds-sync-hist attribute values reappear in the entry after replication is unconfigured

  • OPENDJ-6222: SMTP messages are sometimes not encoded with the correct charset

  • OPENDJ-6221: Logging for CONNECT operations are not saved in Nanosecond format

  • OPENDJ-6196: HTTP connection handler continues to listen to 0.0.0.0 after setting listen-address

  • OPENDJ-6188: Backend returns an incorrect error type when disk space hits low threshold

  • OPENDJ-6173: cn=monitor memory pool stats do not get updated properly over time

  • OPENDJ-6116: Unspecified Communications Error when multiple rest2ldap endpoints share configuration elements

  • OPENDJ-5675: JDK11: supportextract tool cannot find jstack command

  • OPENDJ-5664: JDK 11: illegal reflective access warning during import-ldif

  • OPENDJ-5661: supportextract tool help and version options are different from other tools

  • OPENDJ-5660: JDK 11: illegal reflective access warning on setup (with profile)

  • OPENDJ-5611: Change number indexing can lag behind replication under extreme load

  • OPENDJ-5590: Proxy: server discovery fails silently when proxy base-dn differs from backend’s base-dn

  • OPENDJ-5584: Server does not validate sum of memory used by JE backend caches in all cases

  • OPENDJ-4764: REST2LDAP gateway sasl-plain authorization doesn’t handle dn: correctly

  • OPENDJ-4714: SSL handshake now sends 16KB list of CA issuer DNs

  • OPENDJ-3121: Setup fails to create the lib/extensions directory in the instance.loc path, if a instance.loc file is used.

  • OPENDJ-2605: Debian packages should be idempotent

  • OPENDJ-1169: Exception/error lost when logging ERR_LOOP_REPLAYING_OPERATION

  • OPENDJ-640: Text Query Against indexed telephoneNumber Attribute Very Slow

DS 6.5.0

  • OPENDJ-5606: Upgrade to DS 6.0 fails if multiple filesystems are involved

  • OPENDJ-5594: StackOverflowError with groupOfURLs when isMemberOf is requested

  • OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

  • OPENDJ-5558: SDK: LdapUrl is not IPv6 clean

  • OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

  • OPENDJ-5496: DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

  • OPENDJ-5481: ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

  • OPENDJ-5406: Duplicate entry DNs if entry is deleted and then added during export-ldif or dsreplication initialize

  • OPENDJ-5293: Proxy: Replication Service Discovery Mechanism logs WARNING

  • OPENDJ-5272: "idle-time-limit" global configuration property has no effect

  • OPENDJ-5210: Possible memory-leak if request received while bind in progress

  • OPENDJ-5140: PersistentSearch heap usage grows

  • OPENDJ-5137: Reading compressed or encrypted entries fails to close the InflaterInputStream

  • OPENDJ-5115: ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory

  • OPENDJ-4967: Rest2ldap UndeliverableException occurs when a referenced entity cannot be fetched

  • OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

  • OPENDJ-4881: Updates via Rest2ldap fail if record does not contain the necessary object class

  • OPENDJ-4852: Backup with --backupAll misses a few backends

  • OPENDJ-4625: Changelog range searches miss entries

  • OPENDJ-4589: dsconfig --offline is not case-insensitive

  • OPENDJ-4325: Changelog searches requesting changelogCookie are very slow

  • OPENDJ-4229: status command with keystore options throws NullPointerException

  • OPENDJ-3480: Updating schema backend properties while it is enabled leaves schema backend in broken state

  • OPENDJ-3343: Invalid Conflict resolution on Add sequence when Parent & Child are added on different replica

  • OPENDJ-3341: REST to LDAP gateway: HTTP response for API description is empty

  • OPENDJ-3153: REST to LDAP gateway: changing password fails when using proxied authorization

  • OPENDJ-2356: verify-index displays an inappropriate error message when run in online mode

DS 6.0.0

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4943: NullPointerException in BackupManager.java when backup --hash is used offline

  • OPENDJ-4845: Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

  • OPENDJ-4823: Adding a third replica breaks key ordering of the changelogDb

  • OPENDJ-4729: WorkerThread is blocked in BlockingBackpressureOperator after disconnection

  • OPENDJ-4725: Cannot reset change-log change number

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4587: Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

  • OPENDJ-4559: All worker threads blocked on ReentrantReadWriteLock in GroupManager

  • OPENDJ-4557: isMemberOf search result excludes entries' operational attributes

  • OPENDJ-4555: Server not responding

  • OPENDJ-4533: NullPointerException in TTL reaper

  • OPENDJ-4497: ttl-enabling an index requires a restart

  • OPENDJ-4485: MODRDN with a blank newrdn: value is not rejected.

  • OPENDJ-4464: Collective attributes do not consider if an attribute is single or multi-valued.

  • OPENDJ-4296: Rebuilding index on two backends at the same time causes NPE

  • OPENDJ-4210: Cannot import/export LDIF in offline mode after configuring Password Synchronization Plugin

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-3896: Change number indexer exits due to uncaught IllegalStateException

  • OPENDJ-3878: Example plugin POM has wrong parent and is missing repositories

  • OPENDJ-3504: LDAP bytesRead/Written and SNMP counters (dsApplIfInBytes and dsApplIfOutBytes) are not incremented

  • OPENDJ-3437: Cannot delete access log publisher when it is disabled

  • OPENDJ-1881: OPENDJ JMX monitoring report statistics as type String instead of Number

  • OPENDJ-1158: rebuild-index leaves backend offline if a backup is running

  • OPENDJ-934: Changes to RS window-size property require a server restart

  • OPENDJ-431: Server-side sort control only works on result sets of less than 100000 entries

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Fixes in 7.1.x

This page lists the cumulative fixes in DS 7.1.x releases since 5.5.0:

DS 7.1.8

  • OPENDJ-10139: Replication status "TOO_LATE" does not mark DS as unhealthy

  • OPENDJ-10131: ds-mon-receive-delay metric is not working

DS 7.1.7

  • OPENDJ-8228: Updates for an entry in a replicated sub-suffix appear also in the changelog for its parent

DS 7.1.6

  • OPENDJ-9587: ChangeNumberIndexer unable to advance even after proper shutdown of the replica

  • OPENDJ-9542: References to ds-mon-requests-rejected-queue-full in the docs needs removing

  • OPENDJ-9472: Upgrade does not correctly handle previously patched upgrades

  • OPENDJ-8992: A replica rejoining the topology after its changelog is purged is not tested for the correct server state

  • OPENDJ-8975: Modified file permissions for 99-user.ldif revert to 600 when DS is restarted

DS 7.1.5

  • OPENDJ-9419: Disaster recovery must delete all domain states from the changelog

  • OPENDJ-9347: GSSAPISASLMechanismHandler incorrectly formats the login conf file

  • OPENDJ-9245: DS backup to an S3 bucket on a new region fails

  • OPENDJ-9204: RS ignores DS state and forwards changes DS has already seen

  • OPENDJ-9020: Replicas should persist their ReplicaOfflineMsg unless they’re being recovered from the replication server

  • OPENDJ-8610: RS-RS session thread stuck in Session.send could prevent DS from shutdown

DS 7.1.4

  • OPENDJ-8792: Log SSL exceptions as errors instead of warnings

DS 7.1.3

  • OPENDJ-8874: Full replica purge should write CSN information right away

  • OPENDJ-8845: Persistent search entry change notifications cannot be read by JNDI

  • OPENDJ-8815: dsrepl status does not take into account a status of Bad generation id

  • OPENDJ-8779: Improve replica and changelog logging

  • OPENDJ-8727: HTTP embedded listener throws IllegalStateException: Output channel is not set

  • OPENDJ-8698: DS should write config archive files in a crash consistent way

  • OPENDJ-8532: Error running export-ldif offline: "DatabaseConfig.setReadOnly() must be set to false when creating a Database"

  • OPENDJ-8378: dsrepl status shows deleted replication domains

  • OPENDJ-8254: dsbackup restore/list slow to complete with cloud storage

DS 7.1.2

  • OPENDJ-8548: Optimize scoping of indexed searches

  • OPENDJ-8500: IllegalMonitorStateException after subtree read lock timeout when adding an entry

  • OPENDJ-8062: Possible inconsistent state after backup restore

  • OPENDJ-7970: Ensure that DS is crash resilient for all runtime file changes

  • OPENDJ-7816: dsbackup fails when destination is a symbolic link to a real directory

  • OPENDJ-4935: Replication instability and divergence when using high latency disks

DS 7.1.1

  • OPENDJ-8243: Indexes could cause ldapsearch to return multiple copies of the same entry

  • OPENDJ-8226: Support Extract tool ignores non-default changelogDb location when collecting domains.state file

  • OPENDJ-8205: Log message lists an object’s string representation instead of a file name

  • OPENDJ-8115: -Djavax.net.ssl.trustStore=<value> in OPENDJ_JAVA_ARGS throws NullPointerException

  • OPENDJ-8090: am-identity-store:7.1 setup profile is not functional

  • OPENDJ-8079: targattrsfilters expression does not work with 2 filters but permits 1 or more than 2 filters

  • OPENDJ-8028: Prometheus monitoring doesn’t work with Telegraf

  • OPENDJ-7971: dsbackup fails when JDB file cleaned

  • OPENDJ-7889: Configuring group-id against DS-only instance requires restart for the change to be reported by monitoring

  • OPENDJ-7818: Package based upgrade does not support instances running as non-root

  • OPENDJ-7755: DS 7.0 replication with older version, CryptoManager failed to import the symmetric key entry

  • OPENDJ-7744: dsrepl initialize in a topology with DS7 and DS 5.5 fails if DS7 serverId starts with 0

DS 7.1.0

  • OPENDJ-7928: JSON normalization cannot handle nested arrays

  • OPENDJ-7905: Schema replication error after upgrade

  • OPENDJ-7867: NPE if dsbackup bucket name contains underscores

  • OPENDJ-7851: Supportextract tool: clobbers the server.out filehandle when kill -3 is used.

  • OPENDJ-7847: StaticGroup’s objectclass sanity checks are unhelpful

  • OPENDJ-7810: JMX connections are always considered insecure

  • OPENDJ-7761: DS sporadically hangs while reconnecting to an RS

  • OPENDJ-7758: DS 7.0 dsrepl add-local-server-to-pre-7-0-topology: NPE if master-key is in different keystore

  • OPENDJ-7747: ldapmodify display full stack exception on LDIF errors if connection is already established

  • OPENDJ-7737: ConfigurationFramework#initialize0 changes the class loader without clearing the map of registered jar files

  • OPENDJ-7699: Supportextract throws NoSuchElementException when the server.pid file is empty

  • OPENDJ-7689: dsrepl add-local-server-to-pre-7-0-topology does not tolerate separate keystore and truststore

  • OPENDJ-7687: Global Access Control Policy regarding cn=schema is too restrictive

  • OPENDJ-7674: Migrating encrypted changelog files during upgrade fails

  • OPENDJ-7655: Replaying multiple MODIFYDN operations is very slow

  • OPENDJ-7612: replication divergence on CTS in the cloud

  • OPENDJ-7599: Cannot add a pre-encoded password to an entry without an existing password

  • OPENDJ-7554: Windows: Secrets not retrieved from :file command-line arguments

  • OPENDJ-7523: Example plugin and example pwdscheme pom.xml are missing correct revision

  • OPENDJ-7513: Missing subSchemaSubEntry attribute from rootDSE access controls

  • OPENDJ-7481: JSON logs do not contain proxy auth DN

  • OPENDJ-7474: Docker sample README.md provides wrong instructions for running the container

  • OPENDJ-7450: The startswith (sw) operator on indexed JSON attribute is slow

DS 7.0.0

  • OPENDJ-7319: Addrate can run out of memory when --deleteMode off and --noPurge are set

  • OPENDJ-7286: Changelog searches can start with incorrect cursors

  • OPENDJ-7176: Filters with malformed attribute descriptions cannot be parsed

  • OPENDJ-7115: DS does not start when deployed with ISTIO sidecar container in the GCP K8s cloud

  • OPENDJ-7016: status command outputs malformed JSON in script friendly mode

  • OPENDJ-6994: strict-format-country-string does not affect the server

  • OPENDJ-6787: Changelog searches are extremely slow if any cursors are exhausted

  • OPENDJ-6778: Proxy server mishandles abandon requests

  • OPENDJ-6733: SMTP handler sends incorrect email when account status is modified by manually updating ds-pwp-account-disabled attribute

  • OPENDJ-6711: Replication status reports The provided value "5277383431" could not be parsed as an integer.

  • OPENDJ-6557: IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11

  • OPENDJ-6540: The Supportextract hangs when loggers are configured to use /dev/stdout

  • OPENDJ-6527: Server does not return password policy responses with only warnings

  • OPENDJ-6521: setup checks admin port despite options --skipPortCheck --doNotStart

  • OPENDJ-6512: Problems when work queue fills

  • OPENDJ-6499: Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11

  • OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

  • OPENDJ-6349: "RuntimeException: Should never happen" in HttpClientConnection

  • OPENDJ-6240: DS not honoring per user resource limits when processing RESTful operation requests

  • OPENDJ-6235: Stale ds-sync-hist attribute values reappear in the entry after replication is unconfigured

  • OPENDJ-6222: SMTP messages are sometimes not encoded with the correct charset

  • OPENDJ-6221: Logging for CONNECT operations are not saved in Nanosecond format

  • OPENDJ-6196: HTTP connection handler continues to listen to 0.0.0.0 after setting listen-address

  • OPENDJ-6188: Backend returns an incorrect error type when disk space hits low threshold

  • OPENDJ-6173: cn=monitor memory pool stats do not get updated properly over time

  • OPENDJ-6116: Unspecified Communications Error when multiple rest2ldap endpoints share configuration elements

  • OPENDJ-5675: JDK11: supportextract tool cannot find jstack command

  • OPENDJ-5664: JDK 11: illegal reflective access warning during import-ldif

  • OPENDJ-5661: supportextract tool help and version options are different from other tools

  • OPENDJ-5660: JDK 11: illegal reflective access warning on setup (with profile)

  • OPENDJ-5611: Change number indexing can lag behind replication under extreme load

  • OPENDJ-5590: Proxy: server discovery fails silently when proxy base-dn differs from backend’s base-dn

  • OPENDJ-5584: Server does not validate sum of memory used by JE backend caches in all cases

  • OPENDJ-4764: REST2LDAP gateway sasl-plain authorization doesn’t handle dn: correctly

  • OPENDJ-4714: SSL handshake now sends 16KB list of CA issuer DNs

  • OPENDJ-3121: Setup fails to create the lib/extensions directory in the instance.loc path, if a instance.loc file is used.

  • OPENDJ-2605: Debian packages should be idempotent

  • OPENDJ-1169: Exception/error lost when logging ERR_LOOP_REPLAYING_OPERATION

  • OPENDJ-640: Text Query Against indexed telephoneNumber Attribute Very Slow

DS 6.5.0

  • OPENDJ-5606: Upgrade to DS 6.0 fails if multiple filesystems are involved

  • OPENDJ-5594: StackOverflowError with groupOfURLs when isMemberOf is requested

  • OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

  • OPENDJ-5558: SDK: LdapUrl is not IPv6 clean

  • OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

  • OPENDJ-5496: DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

  • OPENDJ-5481: ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

  • OPENDJ-5406: Duplicate entry DNs if entry is deleted and then added during export-ldif or dsreplication initialize

  • OPENDJ-5293: Proxy: Replication Service Discovery Mechanism logs WARNING

  • OPENDJ-5272: "idle-time-limit" global configuration property has no effect

  • OPENDJ-5210: Possible memory-leak if request received while bind in progress

  • OPENDJ-5140: PersistentSearch heap usage grows

  • OPENDJ-5137: Reading compressed or encrypted entries fails to close the InflaterInputStream

  • OPENDJ-5115: ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory

  • OPENDJ-4967: Rest2ldap UndeliverableException occurs when a referenced entity cannot be fetched

  • OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

  • OPENDJ-4881: Updates via Rest2ldap fail if record does not contain the necessary object class

  • OPENDJ-4852: Backup with --backupAll misses a few backends

  • OPENDJ-4625: Changelog range searches miss entries

  • OPENDJ-4589: dsconfig --offline is not case-insensitive

  • OPENDJ-4325: Changelog searches requesting changelogCookie are very slow

  • OPENDJ-4229: status command with keystore options throws NullPointerException

  • OPENDJ-3480: Updating schema backend properties while it is enabled leaves schema backend in broken state

  • OPENDJ-3343: Invalid Conflict resolution on Add sequence when Parent & Child are added on different replica

  • OPENDJ-3341: REST to LDAP gateway: HTTP response for API description is empty

  • OPENDJ-3153: REST to LDAP gateway: changing password fails when using proxied authorization

  • OPENDJ-2356: verify-index displays an inappropriate error message when run in online mode

DS 6.0.0

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4943: NullPointerException in BackupManager.java when backup --hash is used offline

  • OPENDJ-4845: Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

  • OPENDJ-4823: Adding a third replica breaks key ordering of the changelogDb

  • OPENDJ-4729: WorkerThread is blocked in BlockingBackpressureOperator after disconnection

  • OPENDJ-4725: Cannot reset change-log change number

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4587: Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

  • OPENDJ-4559: All worker threads blocked on ReentrantReadWriteLock in GroupManager

  • OPENDJ-4557: isMemberOf search result excludes entries' operational attributes

  • OPENDJ-4555: Server not responding

  • OPENDJ-4533: NullPointerException in TTL reaper

  • OPENDJ-4497: ttl-enabling an index requires a restart

  • OPENDJ-4485: MODRDN with a blank newrdn: value is not rejected.

  • OPENDJ-4464: Collective attributes do not consider if an attribute is single or multi-valued.

  • OPENDJ-4296: Rebuilding index on two backends at the same time causes NPE

  • OPENDJ-4210: Cannot import/export LDIF in offline mode after configuring Password Synchronization Plugin

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-3896: Change number indexer exits due to uncaught IllegalStateException

  • OPENDJ-3878: Example plugin POM has wrong parent and is missing repositories

  • OPENDJ-3504: LDAP bytesRead/Written and SNMP counters (dsApplIfInBytes and dsApplIfOutBytes) are not incremented

  • OPENDJ-3437: Cannot delete access log publisher when it is disabled

  • OPENDJ-1881: OPENDJ JMX monitoring report statistics as type String instead of Number

  • OPENDJ-1158: rebuild-index leaves backend offline if a backup is running

  • OPENDJ-934: Changes to RS window-size property require a server restart

  • OPENDJ-431: Server-side sort control only works on result sets of less than 100000 entries

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Fixes in 7.0.x

This page lists the cumulative fixes in DS 7.0.x releases since 5.5.0:

DS 7.0.2

  • OPENDJ-7810: JMX connections are always considered insecure

DS 7.0.1

  • OPENDJ-7674: Migrating encrypted changelog files during upgrade fails

  • OPENDJ-7612: replication divergence on CTS in the cloud

  • OPENDJ-7599: Cannot add a pre-encoded password to an entry without an existing password

  • OPENDJ-7554: Windows: Secrets not retrieved from :file command-line arguments

  • OPENDJ-7523: Example plugin and example pwdscheme pom.xml is missing 7.0.0 as revision

  • OPENDJ-7450: The startswith (sw) operator on indexed JSON attribute is slow

  • OPENDJ-7443: AM Identity Store 7.0 Setup profile missing "push2faEnabled" attribute

  • OPENDJ-7436: Backup to the cloud takes too much time

  • OPENDJ-5927: Server stuck on a DS trying to reconnect to an RS

DS 7.0.0

  • OPENDJ-7319: Addrate can run out of memory when --deleteMode off and --noPurge are set

  • OPENDJ-7286: Changelog searches can start with incorrect cursors

  • OPENDJ-7176: Filters with malformed attribute descriptions cannot be parsed

  • OPENDJ-7115: DS does not start when deployed with ISTIO sidecar container in the GCP K8s cloud

  • OPENDJ-7016: status command outputs malformed JSON in script friendly mode

  • OPENDJ-6994: strict-format-country-string does not affect the server

  • OPENDJ-6787: Changelog searches are extremely slow if any cursors are exhausted

  • OPENDJ-6778: Proxy server mishandles abandon requests

  • OPENDJ-6733: SMTP handler sends incorrect email when account status is modified by manually updating ds-pwp-account-disabled attribute

  • OPENDJ-6711: Replication status reports The provided value "5277383431" could not be parsed as an integer.

  • OPENDJ-6557: IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11

  • OPENDJ-6540: The Supportextract hangs when loggers are configured to use /dev/stdout

  • OPENDJ-6527: Server does not return password policy responses with only warnings

  • OPENDJ-6521: setup checks admin port despite options --skipPortCheck --doNotStart

  • OPENDJ-6512: Problems when work queue fills

  • OPENDJ-6499: Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11

  • OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

  • OPENDJ-6349: "RuntimeException: Should never happen" in HttpClientConnection

  • OPENDJ-6240: DS not honoring per user resource limits when processing RESTful operation requests

  • OPENDJ-6235: Stale ds-sync-hist attribute values reappear in the entry after replication is unconfigured

  • OPENDJ-6222: SMTP messages are sometimes not encoded with the correct charset

  • OPENDJ-6221: Logging for CONNECT operations are not saved in Nanosecond format

  • OPENDJ-6196: HTTP connection handler continues to listen to 0.0.0.0 after setting listen-address

  • OPENDJ-6188: Backend returns an incorrect error type when disk space hits low threshold

  • OPENDJ-6173: cn=monitor memory pool stats do not get updated properly over time

  • OPENDJ-6116: Unspecified Communications Error when multiple rest2ldap endpoints share configuration elements

  • OPENDJ-5675: JDK11: supportextract tool cannot find jstack command

  • OPENDJ-5664: JDK 11: illegal reflective access warning during import-ldif

  • OPENDJ-5661: supportextract tool help and version options are different from other tools

  • OPENDJ-5660: JDK 11: illegal reflective access warning on setup (with profile)

  • OPENDJ-5611: Change number indexing can lag behind replication under extreme load

  • OPENDJ-5590: Proxy: server discovery fails silently when proxy base-dn differs from backend’s base-dn

  • OPENDJ-5584: Server does not validate sum of memory used by JE backend caches in all cases

  • OPENDJ-4764: REST2LDAP gateway sasl-plain authorization doesn’t handle dn: correctly

  • OPENDJ-4714: SSL handshake now sends 16KB list of CA issuer DNs

  • OPENDJ-3121: Setup fails to create the lib/extensions directory in the instance.loc path, if a instance.loc file is used.

  • OPENDJ-2605: Debian packages should be idempotent

  • OPENDJ-1169: Exception/error lost when logging ERR_LOOP_REPLAYING_OPERATION

  • OPENDJ-640: Text Query Against indexed telephoneNumber Attribute Very Slow

DS 6.5.0

  • OPENDJ-5606: Upgrade to DS 6.0 fails if multiple filesystems are involved

  • OPENDJ-5594: StackOverflowError with groupOfURLs when isMemberOf is requested

  • OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

  • OPENDJ-5558: SDK: LdapUrl is not IPv6 clean

  • OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

  • OPENDJ-5496: DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

  • OPENDJ-5481: ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

  • OPENDJ-5406: Duplicate entry DNs if entry is deleted and then added during export-ldif or dsreplication initialize

  • OPENDJ-5293: Proxy: Replication Service Discovery Mechanism logs WARNING

  • OPENDJ-5272: "idle-time-limit" global configuration property has no effect

  • OPENDJ-5210: Possible memory-leak if request received while bind in progress

  • OPENDJ-5140: PersistentSearch heap usage grows

  • OPENDJ-5137: Reading compressed or encrypted entries fails to close the InflaterInputStream

  • OPENDJ-5115: ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory

  • OPENDJ-4967: Rest2ldap UndeliverableException occurs when a referenced entity cannot be fetched

  • OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

  • OPENDJ-4881: Updates via Rest2ldap fail if record does not contain the necessary object class

  • OPENDJ-4852: Backup with --backupAll misses a few backends

  • OPENDJ-4625: Changelog range searches miss entries

  • OPENDJ-4589: dsconfig --offline is not case-insensitive

  • OPENDJ-4325: Changelog searches requesting changelogCookie are very slow

  • OPENDJ-4229: status command with keystore options throws NullPointerException

  • OPENDJ-3480: Updating schema backend properties while it is enabled leaves schema backend in broken state

  • OPENDJ-3343: Invalid Conflict resolution on Add sequence when Parent & Child are added on different replica

  • OPENDJ-3341: REST to LDAP gateway: HTTP response for API description is empty

  • OPENDJ-3153: REST to LDAP gateway: changing password fails when using proxied authorization

  • OPENDJ-2356: verify-index displays an inappropriate error message when run in online mode

DS 6.0.0

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4943: NullPointerException in BackupManager.java when backup --hash is used offline

  • OPENDJ-4845: Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

  • OPENDJ-4823: Adding a third replica breaks key ordering of the changelogDb

  • OPENDJ-4729: WorkerThread is blocked in BlockingBackpressureOperator after disconnection

  • OPENDJ-4725: Cannot reset change-log change number

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4587: Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

  • OPENDJ-4559: All worker threads blocked on ReentrantReadWriteLock in GroupManager

  • OPENDJ-4557: isMemberOf search result excludes entries' operational attributes

  • OPENDJ-4555: Server not responding

  • OPENDJ-4533: NullPointerException in TTL reaper

  • OPENDJ-4497: ttl-enabling an index requires a restart

  • OPENDJ-4485: MODRDN with a blank newrdn: value is not rejected.

  • OPENDJ-4464: Collective attributes do not consider if an attribute is single or multi-valued.

  • OPENDJ-4296: Rebuilding index on two backends at the same time causes NPE

  • OPENDJ-4210: Cannot import/export LDIF in offline mode after configuring Password Synchronization Plugin

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-3896: Change number indexer exits due to uncaught IllegalStateException

  • OPENDJ-3878: Example plugin POM has wrong parent and is missing repositories

  • OPENDJ-3504: LDAP bytesRead/Written and SNMP counters (dsApplIfInBytes and dsApplIfOutBytes) are not incremented

  • OPENDJ-3437: Cannot delete access log publisher when it is disabled

  • OPENDJ-1881: OPENDJ JMX monitoring report statistics as type String instead of Number

  • OPENDJ-1158: rebuild-index leaves backend offline if a backup is running

  • OPENDJ-934: Changes to RS window-size property require a server restart

  • OPENDJ-431: Server-side sort control only works on result sets of less than 100000 entries

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Fixes in 6.5.x

This page lists the cumulative fixes in DS 6.5.x releases since 5.5.0:

DS 6.5.6

  • OPENDJ-8698: DS should write config archive files in a crash consistent way

  • OPENDJ-8845: Bad encoding of PersistentSearch’s changeType of the EntryChangeNotificationResponseControl

  • OPENDJ-7970: Ensure that DS is crash resilient for all runtime file changes

  • OPENDJ-7761: DS sporadically hangs while reconnecting to an RS

  • OPENDJ-7653: replication issue in the cloud after ldapadd

  • OPENDJ-6349: "RuntimeException: Should never happen" in HttpClientConnection

DS 6.5.5

  • OPENDJ-8028: Prometheus monitoring doesn’t work with Telegraf

  • OPENDJ-7851: Supportextract tool: clobbers the server.out filehandle when kill -3 is used.

  • OPENDJ-7818: Package based upgrade does not support instances running as non-root

  • OPENDJ-7737: ConfigurationFramework#initialize0 changes the class loader without clearing the map of registered jar files

  • OPENDJ-7699: Supportextract throws NoSuchElementException when the server.pid file is empty

  • OPENDJ-7655: Replaying multiple MODIFYDN operations is very slow

  • OPENDJ-7481: JSON logs do not contain proxy auth DN

  • OPENDJ-7450: The startswith (sw) operator on indexed JSON attribute is slow

  • OPENDJ-6992: Persistent search from IDM is blocking worker threads.

  • OPENDJ-5927: Server stuck on a DS trying to reconnect to an RS

  • CMON-109: Prometheus metrics contains more than one HELP metric line for the same metric

DS 6.5.4

  • OPENDJ-7414: AM: Persistent search with changesOnly gets cancelled by a request timeout

  • OPENDJ-7286: Changelog searches can start with incorrect cursors

  • OPENDJ-7232: StackOverflowError in Tomcat logs when using external DS

  • OPENDJ-7176: Filters with malformed attribute descriptions cannot be parsed

  • OPENDJ-7115: DS does not start when deployed with ISTIO side car container in the GCP K8s cloud

  • OPENDJ-7031: VLVIndex are incorrectly rebuilt by rebuild-index

  • OPENDJ-7020: Rebuild-index offline ignores rebuild-index.offline.java-args

  • OPENDJ-7016: Status command outputs malformed JSON in script friendly mode

  • OPENDJ-7014: Some operational attributes are not replicated when a restore --dry-run is used against an online server

  • OPENDJ-6994: Strict-format-country-string does not affect the server

  • OPENDJ-6970: Tamil locales cause illegal matchingRules values

  • OPENDJ-6910: Supportextract --maxLogFiles gathers logs but not the latest logs

  • OPENDJ-6812: Client tools fail in offline mode when Account Status Notification Handlers are used

  • OPENDJ-6711: Replication status reports The provided value "5277383431" could not be parsed as an integer.

  • OPENDJ-6498: Profile creation stores AM cts and config global aci’s in base64 format

  • OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

  • OPENDJ-6309: Search operation on whole tree skips nodes if there are DNs without backends in the directory information tree (DIT)

  • OPENDJ-5851: ACI: getEffectiveRights with authz do not print out acl rights

  • OPENDJ-5439: LeastRequestsStrategy should distribute load randomly when idle

  • OPENDJ-4058: IDM Account Status notification handler doesn’t look for certificates correctly

DS 6.5.3

  • OPENDJ-6930: Increase interoperability with HSMs when protecting and distributing symmetric keys

  • OPENDJ-6929: Support storing ads-certificate key-pair and other instance public keys in an HSM

  • OPENDJ-6892: Incorrect units for two updates metrics

  • OPENDJ-6830: The supportextract tool should capture stack traces in server.out with SIGQUIT

  • OPENDJ-6822: Reduce number of expensive seeks in BlockLogReader

  • OPENDJ-6820: dsconfig "-w -" option doesn’t prompt for password

  • OPENDJ-6787: Changelog searches are extremely slow if any cursors are exhausted

  • OPENDJ-6781: example-plugin fails to build on 6.5 branch

  • OPENDJ-6778: Proxy server mishandles abandon requests

  • OPENDJ-6733: SMTP handler sends incorrect email when account status is modified by manually updating ds-pwp-account-disabled attribute

  • OPENDJ-6708: The supportextract tool fails with an error parsing json

  • OPENDJ-6695: Heap slowly fills with DomainDBCursors

  • OPENDJ-6675: The supportextract tool cannot collect gc files when there are dots in the path

  • OPENDJ-6557: IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11

  • OPENDJ-6540: The supportextract tool hangs when loggers are configured to use /dev/stdout

  • OPENDJ-6527: server does not return password policy responses with only warnings

  • OPENDJ-6521: setup checks admin port despite options --skipPortCheck --doNotStart

  • OPENDJ-6512: Problems when work queue fills

  • OPENDJ-6474: REST: some requests fails when stressing embedded http endpoint with Gatling

  • OPENDJ-6464: IsMemberOfVirtualAttributeProvider does not process subordinate nested groups

  • OPENDJ-6422: Make the supportextract tool compliant with JVM unified logging framework

  • OPENDJ-6394: Update forgerock-commons for 6.5.3

  • OPENDJ-6371: The supportextract tool generates data but returns 1 instead of 0 on Windows

  • OPENDJ-6240: DS not honoring per user resource limits when processing RESTful operation requests

  • OPENDJ-6163: The supportextract tool needs to gather archived-configs

  • OPENDJ-5960: The supportextract tool should gather basic changelogDb information

  • OPENDJ-5895: Unable to rebuild indexes when the Error Log Handler is assigned to a password policy

  • OPENDJ-5600: The supportextract tool should capture stack traces with jcmd

DS 6.5.2

  • OPENDJ-6248: NPE when running supportextract without monitoring user configured

  • OPENDJ-6235: Stale ds-sync-hist attribute values reappear in the entry after replication is unconfigured

  • OPENDJ-6222: SMTP messages are sometimes not encoded with the correct charset

  • OPENDJ-6217: NPE when running supportextract tool on upgraded instance

  • OPENDJ-6196: HTTP connection handler continues to listen to 0.0.0.0 after setting listen-address

  • OPENDJ-6173: cn=monitor memory pool stats do not get updated properly over time

  • OPENDJ-6170: supportextract tool misses rotated or non-standard GC log files

  • OPENDJ-6128: supportextract tool needs to gather Profile and Data Information

  • OPENDJ-6125: supportextract tool needs to gather the rootUser and monitorUser ldif files

  • OPENDJ-5972: bin/status command fails when using a french locale

DS 6.5.1

  • OPENDJ-6089: TelephoneNumber syntax in DN creates an incorrect entry DN value

  • OPENDJ-6039: AM Config Store Profile doesn’t have enough access in ProductionMode when upgrading AM

  • OPENDJ-5979: Server does not validate sum of memory used by JE backend caches after upgrade

  • OPENDJ-5977: Can not use custom base dn with cts profile because organization unit is forced

  • OPENDJ-5955: Missing version fallback feature for profiles

  • OPENDJ-5843: Rebuild-index failed with ConfigException on db-cache-size

  • OPENDJ-5801: ldap operation fails with "49 Invalid Credentials" when bindDN of 'cn=Directory Manager' is supplied in a properties file

  • OPENDJ-5794: JE db-cache-size settings conflicts with shared cache

  • OPENDJ-5793: Replication on windows: ChangelogException while adding entries

  • OPENDJ-5727: Add optional base DN for each profile

  • OPENDJ-5726: Proxy distribution has trouble scaling writes to 3 shards

  • OPENDJ-5675: JDK11: supportextract tool cannot find jstack command

  • OPENDJ-5611: Change number indexing can lag behind replication under extreme load

  • OPENDJ-5584: Server does not validate sum of memory used by JE backend caches in all cases

  • OPENDJ-5423: Incorrectly reported missing parent entries cause import-ldif and index rebuilds to fail

DS 6.5.0

  • OPENDJ-5606: Upgrade to DS 6.0 fails if multiple filesystems are involved

  • OPENDJ-5594: StackOverflowError with groupOfURLs when isMemberOf is requested

  • OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

  • OPENDJ-5558: SDK: LdapUrl is not IPv6 clean

  • OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

  • OPENDJ-5496: DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

  • OPENDJ-5481: ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

  • OPENDJ-5406: Duplicate entry DNs if entry is deleted and then added during export-ldif or dsreplication initialize

  • OPENDJ-5293: Proxy: Replication Service Discovery Mechanism logs WARNING

  • OPENDJ-5272: "idle-time-limit" global configuration property has no effect

  • OPENDJ-5210: Possible memory-leak if request received while bind in progress

  • OPENDJ-5140: PersistentSearch heap usage grows

  • OPENDJ-5137: Reading compressed or encrypted entries fails to close the InflaterInputStream

  • OPENDJ-5115: ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory

  • OPENDJ-4967: Rest2ldap UndeliverableException occurs when a referenced entity cannot be fetched

  • OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

  • OPENDJ-4881: Updates via Rest2ldap fail if record does not contain the necessary object class

  • OPENDJ-4852: Backup with --backupAll misses a few backends

  • OPENDJ-4625: Changelog range searches miss entries

  • OPENDJ-4589: dsconfig --offline is not case-insensitive

  • OPENDJ-4325: Changelog searches requesting changelogCookie are very slow

  • OPENDJ-4229: status command with keystore options throws NullPointerException

  • OPENDJ-3480: Updating schema backend properties while it is enabled leaves schema backend in broken state

  • OPENDJ-3343: Invalid Conflict resolution on Add sequence when Parent & Child are added on different replica

  • OPENDJ-3341: REST to LDAP gateway: HTTP response for API description is empty

  • OPENDJ-3153: REST to LDAP gateway: changing password fails when using proxied authorization

  • OPENDJ-2356: verify-index displays an inappropriate error message when run in online mode

DS 6.0.0

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4943: NullPointerException in BackupManager.java when backup --hash is used offline

  • OPENDJ-4845: Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

  • OPENDJ-4823: Adding a third replica breaks key ordering of the changelogDb

  • OPENDJ-4729: WorkerThread is blocked in BlockingBackpressureOperator after disconnection

  • OPENDJ-4725: Cannot reset change-log change number

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4587: Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

  • OPENDJ-4559: All worker threads blocked on ReentrantReadWriteLock in GroupManager

  • OPENDJ-4557: isMemberOf search result excludes entries' operational attributes

  • OPENDJ-4555: Server not responding

  • OPENDJ-4533: NullPointerException in TTL reaper

  • OPENDJ-4497: ttl-enabling an index requires a restart

  • OPENDJ-4485: MODRDN with a blank newrdn: value is not rejected.

  • OPENDJ-4464: Collective attributes do not consider if an attribute is single or multi-valued.

  • OPENDJ-4296: Rebuilding index on two backends at the same time causes NPE

  • OPENDJ-4210: Cannot import/export LDIF in offline mode after configuring Password Synchronization Plugin

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-3896: Change number indexer exits due to uncaught IllegalStateException

  • OPENDJ-3878: Example plugin POM has wrong parent and is missing repositories

  • OPENDJ-3504: LDAP bytesRead/Written and SNMP counters (dsApplIfInBytes and dsApplIfOutBytes) are not incremented

  • OPENDJ-3437: Cannot delete access log publisher when it is disabled

  • OPENDJ-1881: OPENDJ JMX monitoring report statistics as type String instead of Number

  • OPENDJ-1158: rebuild-index leaves backend offline if a backup is running

  • OPENDJ-934: Changes to RS window-size property require a server restart

  • OPENDJ-431: Server-side sort control only works on result sets of less than 100000 entries

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Fixes in 6.0.x

This page lists the cumulative fixes in DS 6.0.x releases since 5.5.0:

DS 6.0.0

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4943: NullPointerException in BackupManager.java when backup --hash is used offline

  • OPENDJ-4845: Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

  • OPENDJ-4823: Adding a third replica breaks key ordering of the changelogDb

  • OPENDJ-4729: WorkerThread is blocked in BlockingBackpressureOperator after disconnection

  • OPENDJ-4725: Cannot reset change-log change number

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4587: Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

  • OPENDJ-4559: All worker threads blocked on ReentrantReadWriteLock in GroupManager

  • OPENDJ-4557: isMemberOf search result excludes entries' operational attributes

  • OPENDJ-4555: Server not responding

  • OPENDJ-4533: NullPointerException in TTL reaper

  • OPENDJ-4497: ttl-enabling an index requires a restart

  • OPENDJ-4485: MODRDN with a blank newrdn: value is not rejected.

  • OPENDJ-4464: Collective attributes do not consider if an attribute is single or multi-valued.

  • OPENDJ-4296: Rebuilding index on two backends at the same time causes NPE

  • OPENDJ-4210: Cannot import/export LDIF in offline mode after configuring Password Synchronization Plugin

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-3896: Change number indexer exits due to uncaught IllegalStateException

  • OPENDJ-3878: Example plugin POM has wrong parent and is missing repositories

  • OPENDJ-3504: LDAP bytesRead/Written and SNMP counters (dsApplIfInBytes and dsApplIfOutBytes) are not incremented

  • OPENDJ-3437: Cannot delete access log publisher when it is disabled

  • OPENDJ-1881: OPENDJ JMX monitoring report statistics as type String instead of Number

  • OPENDJ-1158: rebuild-index leaves backend offline if a backup is running

  • OPENDJ-934: Changes to RS window-size property require a server restart

  • OPENDJ-431: Server-side sort control only works on result sets of less than 100000 entries

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Fixes in 5.5.x

This page lists the cumulative fixes in DS 5.5.x releases.

DS 5.5.3

  • OPENDJ-6474: REST: some requests fail when stressing embedded http endpoint with Gatling

  • OPENDJ-6464: isMemberOfVirtualAttributeProvider does not process subordinate nested groups

  • OPENDJ-6447: NullPointerException: formatString was null

  • OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

  • OPENDJ-5607: Update third party libraries

  • OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

  • OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

  • OPENDJ-5423: Incorrectly reported missing parent entries cause import-ldif and index rebuilds to fail

  • OPENDJ-5002: 200s timeout when stopping a replication server

  • OPENDJ-4625: Changelog range searches miss entries

DS 5.5.2

  • OPENDJ-5320: Build fails if the code is build outside the sustaining repo

  • OPENDJ-5274: Upgrade of RS fails on rebuild indexes phase

  • OPENDJ-5272: "idle-time-limit" global configuration property has no effect

  • OPENDJ-5260: Grizzly pre-allocates a useless MemoryManager

  • OPENDJ-5210: Possible memory-leak if request received while bind in progress

  • OPENDJ-5137: Reading compressed entries fails to close the InflaterInputStream

  • OPENDJ-4983: IllegalStateException in change number indexer

  • OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

  • OPENDJ-4934: Replication: changelog not in sync when restarting a server in a topology

  • OPENDJ-4598: Replication Server cursoring through obsolete replica ID’s causing high CPU spin

  • OPENDJ-4590: Replication: cursor aborted on high write throughput

DS 5.5.1

  • OPENDJ-4624: Changelog search filter optimizations fail when there are leading unrelated terms

  • OPENDJ-4295: Syslog data is not fully RFC compliant

DS 5.5.0

  • OPENDJ-4341: setup with production mode with java 9

  • OPENDJ-4316: HTTP Connector leaks Session objects

  • OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

  • OPENDJ-4234: Poor changelog search performance using changenumber ranges

  • OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

  • OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

  • OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

  • OPENDJ-4115: build and publish missing changes gets confused with non-local changes

  • OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

  • OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

  • OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

  • OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

  • OPENDJ-3963: JMXClientConnections are leaked

  • OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

  • OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

  • OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

  • OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

  • OPENDJ-3825: Spring daylight savings change can break recurring tasks

  • OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

  • OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

  • OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

  • OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

  • OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

  • OPENDJ-2850: SDK SASL integrity/confidentiality violates protocol

  • OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

  • OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

  • OPENDJ-1135: DS sometimes fails to connect to RS after server restart

  • OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

Removed

The functionality listed here has been removed.

DS 7.5

  • Support for Java 11 has been removed.

    When upgrading to this version, follow the instructions in Before you upgrade.

  • The dsrepl start-disaster-recovery and dsrepl end-disaster-recovery commands have been removed.

    For instructions on what to use instead, refer to the disaster recovery documentation instead.

  • Support for SNMP monitoring has been removed.

  • The deprecated /admin and /api (REST to LDAP) endpoints have been removed from the configuration for new servers.

    If you must create them temporarily for compatibility, refer to When adding new servers.

DS 7.4

  • The file-based debug log publisher has been removed.

    An error log publisher now writes debug-level messages. For details, refer to Debug-level logging.

  • The Argon2 password storage configuration property argon2-migration-memory has been removed.

    If necessary, set argon2-memory-pool-size instead.

DS 7.3

  • The following deprecated command-line options have been removed:

    --bindPasswordFile
    --deploymentKeyPasswordFile
    --keyStorePasswordFile
    --monitorUserPasswordFile
    --rootUserPasswordFile
    --trustStorePasswordFile

    Use the --*:file alternatives suggested in Deprecated since DS 7.1 instead. With the setup command, use the --keyStorePasswordFilePath and --trustStorePasswordFilePath options to retain the paths to the files in the configuration instead of copying the cleartext passwords.

  • The Degraded replica status and degraded-status-threshold configuration property have been removed.

    When the replication delay is more than five seconds, the dsrepl status command reports the replica is SLOW.

  • The advanced LDAP connection handler property send-rejection-notice has been removed.

    The LDAP connection handler no longer sends an extended response message with a notice of disconnection when rejecting a new client connection.

DS 7.2

  • The lookthrough-limit setting has been removed. Use time-limit instead.

DS 7.1

  • You can no longer add new DS servers to a deployment with OpenDJ 2.6 or earlier servers.

    Instead, upgrade older servers before adding new servers.

  • DS server configuration support for extending group implementations, including group implementation configuration objects, their properties, and the related dsconfig subcommands.

    In previous releases, an administrator could disable and enable group implementations, and could change the Java class of a group implementation as part of the server configuration.

    The default group implementations continue to work as documented in Groups.

DS 7.0

  • Support for Java 8 has been removed.

    Support for 32-bit JVMs has also been removed.

    When upgrading to this version, follow the instructions in Before you upgrade.

  • The backup and restore commands have been removed. Use the dsbackup command instead.

  • The dsreplication command has been removed.

    You now configure replication as part of the setup process using the setup --replicationPort and setup --bootstrapReplicationServer options. For details and examples, refer to Installation.

    For most operations, use the dsrepl command. Since replication configuration is part of the setup process, the dsrepl command does not include a command for configuring replication. Learn about the new command in Replication, and Changelog for notifications.

    To temporarily suspend and resume replication, use the dsconfig command. For details, refer to Disable replication.

  • The ads-truststore and ads-truststore.pin files have been removed.

    For new deployments, DS servers protect secret keys with a shared master key. The setup process derives the shared master key from the deployment ID and password.

  • The JVM profiler plugin has been removed.

  • The following monitoring metrics have been removed:

    • LDAP metrics:

      • ds-mon-approx-oldest-change-not-synchronized

      • ds-mon-approximate-delay

      • ds-mon-missing-changes

    • Prometheus metrics:

      • ds_replication_changelog_connected_replicas_approx_oldest_change_not_synchronized_seconds

      • ds_replication_changelog_connected_replicas_approximate_delay_seconds

      • ds_replication_changelog_connected_replicas_missing_changes

  • The following monitoring metrics depending on the JVM implementation are not stable interfaces. They have been removed from the documentation:

    Garbage collection statistics

    Affected metrics have names like ds-mon-jvm-garbage-collector-* under cn=monitor, and ds_jvm_garbage_collector_* in Prometheus output.

    Memory pool use

    Affected metrics have names like ds-mon-jvm-memory-pools-* under cn=monitor, and ds_jvm_memory_pools_* in Prometheus output.

  • The No-Op alias for the LDAP no-op control (OID: 1.3.6.1.4.1.4203.1.10.2) has been removed.

    Use the NoOp alias or the OID instead.

DS 6.5

  • The manage-account get-password-history subcommand has been removed due to security concerns.

DS 6.0

  • The control panel has been removed. Use the command line tools instead.

  • The dsreplication subcommands enable and disable have been removed.

    Use the configure and unconfigure subcommands instead.

  • Support for PDB backend databases has been removed in this release. DS supports JE backend databases.

    As a result, the setup directory-server option, -t | --backendType, has been removed.

  • The JE backend database advanced properties, db-txn-no-sync and db-txn-write-no-sync, have been removed.

    Use db-durability instead.

  • The EL expression implementation for using variables in server configurations has been removed.

  • The PIN and password related configuration properties listed in the following table have been removed.

    Old roperties Use this instead…​

    key-store-pin-environment-variable

    key-store-pin-file

    key-store-pin-property

    key-store-pin

    trust-store-pin-environment-variable

    trust-store-pin-file

    trust-store-pin-property

    trust-store-pin

    mapped-search-bind-password-environment-variable

    mapped-search-bind-password-file

    mapped-search-bind-password-property

    mapped-search-bind-password

    proxy-user-password-environment-variable

    proxy-user-password-file

    proxy-user-password-property

    proxy-user-password

    bind-password-environment-variable

    bind-password-file

    bind-password-property

    bind-password

    To replace these properties, use configuration expressions. For example, to replace key-store-pin-file: config/keystore, use key-store-pin: &{file:config/keystore}. To replace key-store-pin-property: ds.keystore.pin, use key-store-pin: &{ds.keystore.pin}.

  • The dsconfig get-root-dn-prop and dsconfig set-root-dn-prop subcommands have been removed.

  • Support for assured replication has been removed in this release.

    The interface stability of assured replication has been classified as Internal.

DS 5.5

  • Support for Java 7 has been removed.

  • Support for Solaris has been removed.

  • The setup command no longer supports addition of an instance.loc file to specify the instance path during server setup.

    If you do create an instance.loc file prior to setting up the server, the setup command fails with an error indicating either that the server has already been set up (when the instance.loc file references a valid server instance path), or that the instance.loc file (when the path it references does not exist, yet).

    Use the setup --instancePath option instead.

  • The uninstall command has been removed.

  • The advanced JE backend properties, db-evictor-lru-only and db-evictor-nodes-per-scan, have been removed. When you upgrade a directory server, the upgrade command removes these properties from the configuration.

Incompatible changes

DS 7.5

The following changes affect the evolving DS plugin API:

Class or interface Changes

PluginOperation

Added:

  • getRequest()

    You can also now use getRequest().getRequestType().

  • hasPrivilege()

Removed:

  • getOperationType()

  • removeAttachment(String name)

PreParseOperation
PreOperationOperation

Added:

  • sendResponses(ResponseStream responses) for sending intermediate responses.

    The APIs were removed from the ClientConnection class.

ClientConnection

This class has a volatile API and will very likely be subject to significant changes in future releases.

Many methods were added and removed.

InProgressSearchOperation
PostOperationSearchOperation
PostResponseSearchOperation
PreOperationSearchOperation
PreParseSearchOperation

To access resource limits, change your code from:

int sizelimit = getSizeLimit();
int timelimit = getTimeLimit();

To:

int sizelimit = getResourceLimits().getSizeLimit();
int timelimit = getResourceLimits().getTimeLimit();

DS 7.4

  • You can upgrade DS 6.0 and later servers directly to DS 7.4.

    When starting from 5.5.x and earlier, first upgrade all servers to DS 6.5 before upgrading further. Direct upgrade from versions earlier than 6.0 is no longer supported.

  • For new DS servers, the setup command no longer enables support for changelog change numbers or change number indexing by default.

    For new servers, the replication server configuration property is changelog-enabled: enabled-cookie-mode-only by default, meaning client applications must use cookies instead of change numbers when searching the changelog. For examples, refer to Use the external change log.

    When you upgrade an existing server in place, the upgrade command keeps the existing server behavior.

  • The documentation describes the new HDAP APIs for HTTP access.

    For documentation covering REST to LDAP, refer to Use REST/HTTP for 7.3.

  • The log publisher properties default-severity and override-severity now take single values.

    Set them to the lowest severity level to log.

  • The create-rc-script option -f|--outputFile has been removed.

    Use -r|--rcScript /etc/init.d/opendj or -s|--systemdService /etc/systemd/system/opendj.service instead.

  • The configuration property big-index-matching-rule has changed to big-index-extensible-matching-rule.

    When creating a big-extensible index, you must set at least one big-index-extensible-matching-rule.

  • The configuration property log-control-oids has changed to log-controls and is true by default for new servers.

  • DS servers no longer return replication conflict entries by default.

    Use the manage DSAIT LDAP control to access them.

DS 7.3

  • New DS servers now write replication messages to the server error log (default: opendj/logs/errors).

  • Metrics formerly under cn=entry cache,cn=monitor have moved under cn=entry caches,cn=monitor.

DS 7.2

  • The deployment key described in earlier DS 7 releases has been renamed deployment ID:

    • A deployment ID is not a cryptographic key or digital certificate.

    • A deployment ID does uniquely identify a DS deployment.

    The change affects the commands and the documentation:

    Old option New option

    --deploymentKey

    --deploymentId

    --deploymentKeyPassword

    --deploymentIdPassword

    The name change does not affect the deployment IDs (formerly keys) themselves. You can continue to use existing IDs (keys) in your deployments.

  • The setup command now requires a --deploymentId option.

    Before running setup for the first time, generate a deployment ID as shown throughout the documentation:

    $ /path/to/opendj/bin/dskeymgr create-deployment-id --deploymentIdPassword password
<deployment-id>
$ export DEPLOYMENT_ID=<deployment-id>

  • As a side effect of the change to allow mail addresses to include UTF-8 characters, DS no longer supports zero-length mail addresses.

    If you cannot prevent applications from adding zero-length mail addresses and no addresses use UTF-8, set the advanced core schema property allow-zero-length-values-directory-string to true.

  • The following changes affect proxy backend configurations:

    Old Property New Property

    heartbeat-interval

    keep-alive-interval

    heartbeat-search-request-base-dn

    keep-alive-search-request-base-dn

  • The lookthrough-limit setting has been removed. Use time-limit instead.

    DS servers now enforce time-limit and ds-rlimit-time-limit settings while evaluating the entries to return for a search, rather than enforcing time limits only when sending entries.

    DS servers now ignore the ds-rlim-lookthrough-limit setting.

  • The global advanced setting, cursor-entry-limit, has been replaced by a max-candidate-set-size setting, which corresponds to the maximum number of candidate entries that DS servers maintain in memory when querying attribute indexes.

  • The dsbackup command no longer supports specifying options before the subcommand.

    You must now put all options after the subcommand, as has always been indicated in the documentation.

DS 7.1

  • With the introduction of the global configuration property, group-id-failover-order, which takes a comma-separated list of group IDs, commas are no longer permitted in group IDs.

    The upgrade command replaces each , with a . in group IDs.

  • The following changes affect proxy backend configurations:

    Old Property New Property Notes

    load-balancing-algorithm

    None

    All proxy backends now use affinity load balancing. As a result, they always route requests with the same target DN to the same server.

    bind-connection-pool-idle-timeout

    connection-pool-idle-timeout

    DS proxy backends no longer use shared connection pools.

    bind-connection-pool-max-size

    connection-pool-max-size

    bind-connection-pool-min-size

    connection-pool-min-size

    request-connection-pool-size

    None

  • When using the dskeymgr command to generate a PEM format certificate, you can no longer use the --alias option. The PEM format does not support aliases.

    If you do use the --alias and --outputFile options together, the command now displays an error message:

    You may not provide both the --outputFile and the --alias arguments

DS 7.0

Accounts

  • The default directory superuser (Directory Manager) DN is now uid=admin for new servers.

    The upgrade process does not change the directory superuser DN for existing servers.

    This change makes it easier to manage the server configuration over REST, as the default identity mapper configuration maps the HTTP admin username to the LDAP DN uid=admin.

  • The replication service discovery mechanism now obtains some information by reading the cn=monitor LDAP entry. As a result, the bind-dn account must now have the monitor-read privilege.

    This affects accounts used by DS directory proxy servers to bind to DS replication servers. For an example showing the account with the monitor-read privilege, refer to Try DS directory proxy.

Backup

  • DS backups taken with this release are not compatible with backups from earlier releases.

  • Scheduled backup tasks continue after upgrade.

  • Tasks created with the restore command in earlier releases are removed during upgrade.

Data

The default backend ID for application data depends on the setup profiles.

The upgrade process does not change the backend ID for existing servers.

LDAP

When matching strings in attributes with telephone number syntax, DS servers now behave as follows:

  • As in previous versions, a search for "(telephoneNumber=1555123456)" matches entries with telephone number values +1 555 123 456 and 1 555 123456.

  • All + characters are ignored.

    In other words, + is no longer significant when matching a telephone number syntax attribute.

  • A search for "(telephoneNumber=*Flower*)" returns only entries with telephone numbers containing Flower (case-insensitive match).

  • A search for "(telephoneNumber=15550102)" no longer matches entries with telephone numbers like +15550102 - Home.

Logging

  • The batch configuration for the JMS common audit handler for access logs has changed to support reconnection if the broker becomes unavailable.

    This change adds a batch.writeInterval setting. It removes the following settings:

    • batch.batchEnabled

    • batch.insertTimeoutSec

    • batch.pollTimeoutSec

    • batch.shutdownTimeoutSec

    • batch.threadCount

  • The example JDBC audit handler configuration for logging to MySQL has changed.

    The old configuration is not compatible with MySQL 8, supported in DS 7.

Mail

The global property smtp-server has been replaced with a configuration object, mail server.

Replication

  • The group-id and server-id identifiers are now global settings, and only take a single value per server.

    Replication domain and replication server configurations no longer have mutable server-id and group-id properties.

  • The external changelog domain configuration has moved to the replication domain and replication server configurations.

    This affects the following properties:

    • ecl-include

    • ecl-include-for-deletes

    • changelog-enabled-excluded-domains

  • The following replication domain configuration properties have moved to the replication synchronization provider:

    • changetime-heartbeat-interval

    • isolation-policy

    • heartbeat-interval

    • initialization-window-size

    • log-changenumber

    • referrals-url

    • solve-conflicts

    • source-address

  • The following replication server properties have moved to the replication synchronization provider:

    • replication-purge-delay

    • source-address

  • In addition to the property changes, the replication synchronization provider has changed:

    • A new property, bootstrap-replication-server, takes the addresses of one or more replication servers this server should contact to discover the rest of the topology.

    • The replication-purge-delay property has replaced the replication domain property, conflicts-historical-purge-delay.

      In this release, the replication-purge-delay setting alone governs how long the replica retains data in the changelog and historical metadata necessary to solve conflicts in directory entries.

REST

  • The resourceTypeProperty field is no longer used in REST to LDAP configurations. The resource type is now inferred from the property with "type": "resourceType".

Security

  • Default security settings have been hardened.

    For details, refer to Default Security Settings.

  • The following configuration changes impact TLS-related settings:

    The Crypto Manager no longer has the following properties:

    • ssl-cert-nickname

    • ssl-cipher-suite

    • ssl-encryption

    • ssl-protocol

    The replication synchronization provider configuration object now has the following properties:

    • key-manager-provider

    • ssl-cert-nickname

    • ssl-cipher-suite

    • ssl-encryption

    • ssl-protocol

    • trust-manager-provider

    The following configuration objects now have ssl-cipher-suite and ssl-protocol properties:

    • HTTP OAuth2 OpenAM authorization mechanism

    • HTTP OAuth2 token introspection (RFC 7662) authorization mechanism

    • Replication service discovery mechanism

    • Static service discovery mechanism

  • The default fingerprint algorithm for the fingerprint certificate mapper is now SHA-256.

Setup

The setup command has changed:

  • The --productionMode option has been removed.

    Default settings are now secure. For details, refer to Default Security Settings.

    The evaluation setup profile is compatible with other setup profiles. However, if you apply the evaluation setup profile last, it sets unauthenticated-requests-policy:allow, granting global permission to perform operations over insecure connections.

  • Subcommands have been replaced by setup profiles.

  • The setup command no longer starts the server by default.

    Before starting your new DS server, finish configuration.

    If no further configuration is required, use the setup --start option.

  • For new servers, key pairs with self-signed certificates are no longer used. Instead, the setup process generates keys used for secure connections, and derives a shared master key to protect secret keys for data encryption. These keys depend on a deployment ID and deployment ID password.

    The deployment ID and deployment ID password are required as part of the setup process:

    • If you do not provide your own keys, the generated keys and the signing CA certificate are stored in a PKCS#12 keystore file, config/keystore.

      The password is stored in a PIN file, config/keystore.pin.

      You can use the CA certificate as the root of trust for an entire deployment.

    • By default, replication now relies on the same key pairs as all other connection handlers to secure network communications.

      The Replication Key Manager and Replication Trust Manager providers now point to the providers chosen during the setup process.

    • The Default Key Manager is now named after its keystore format, such as PKCS12.

  • The following setup command options have been removed:

    • -a, --addBaseEntry

    • -b, --baseDn

    • --useJvmTrustStore

    • -l, --ldifFile

    • -O, --doNotStart

    • --productionMode

    • -R, --rejectFile

    • --skipFile

    Add your initial data before starting the server by creating a backend database, configuring indexes, and importing from LDIF.

  • The -d, --sampleData option has moved. It is now provided as the generatedUsers parameter of the ds-evaluation setup profile.

Tools

  • DS command line tools no longer support the -w - and --bindPassword - options to prompt interactively for a password.

    Instead, provide the bind DN and omit the -w - or --bindPassword - option. The tools then prompt for a password unless you specify the --no-prompt option.

Upgrade

You can upgrade DS 3.0 and later servers directly to DS 7.

When starting from 2.6, first upgrade all servers to DS 6.5 before upgrading further. Direct upgrade from 2.6 is no longer supported.

Default Security Settings

When you set up new DS servers, they are now configured with tighter security settings by default. These changes do not affect DS servers that you upgrade from earlier versions. If you require more lenient settings for compatibility, you must configure them after setting up the server:

  • All operations except bind requests and StartTLS requests, and base object searches on the root DSE, require secure connections.

    This behavior is governed by the global configuration property, unauthenticated-requests-policy, which is now set to allow-discovery, instead of allow, unless the last setup profile applied is the ds-evaluation profile.

  • The password storage scheme for the Default Password Policy and Root Password Policy is now PBKDF2-HMAC-SHA256 with 10 iterations. For stronger security, raise the number of iterations, and require users to change their passwords.

    PBKDF2-HMAC-SHA256 is a computationally intensive one-way hashing scheme. When used with a high number of iterations, it is intentionally orders of magnitude slower than the previous default for user passwords, which was Salted SHA-512.

    PBKDF2-HMAC-SHA256 and similar computationally intensive password storage schemes lower throughput and raise response times for some operations, including the following:

    • Importing plaintext passwords from LDIF; for example, during evaluation and testing with generated data.

    • Updating passwords.

    • Authenticating with passwords.

    To migrate user passwords to a new storage scheme, refer to Password storage.

  • SASL mechanism handler configurations for CRAM-MD5 and DIGEST-MD5 are no longer present in the default configuration.

  • Password storage scheme configurations for MD5, RC4, and Salted MD5 are no longer present in the default configuration.

    Less secure and reversible password storage schemes have been disabled in the default configuration. You must therefore enable these password storage schemes if you intend to use them.

    Setting New Default

    Crypto Manager

    SHA-256

    Crypto Manager

    RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING

    Crypto Manager

    HmacSHA256

    Global setting

    allow-discovery

    Password storage scheme: 3DES

    false

    Password storage scheme: AES

    false

    Password storage scheme: Base64

    false

    Password storage scheme: Blowfish

    false

    Password storage scheme: Clear

    false

    Password storage scheme: CRYPT

    false

    Password storage scheme: PBKDF2

    false

    Password storage scheme: PKCS5S2

    false

    Password storage scheme: Salted SHA-1

    false

    Password storage scheme: Salted SHA-256

    false

    Password storage scheme: Salted SHA-384

    false

    Password storage scheme: Salted SHA-512

    false

    Password storage scheme: SHA-1

    false

    Pluggable (JE) backend

    AES/GCM/NoPadding

    Replication server

    AES/GCM/NoPadding

DS 6.5

  • There is an issue when running an upgrade from DS 6.5.0 to 6.5.1. If you did not set the je-backend-shared-cache-enabled property and accepted the default value of true prior to the upgrade, the value changes AFTER upgrade to false. You may have to reset this value to true for your deployments.

    If you set the je-backend-shared-cache-enabled property prior to upgrade to either true or false, the value does not change after upgrade.

  • The status command has been rewritten, with the following notable changes:

    • The command is no longer interactive.

    • You must supply the required options when invoking the status command.

    • The command now has an --offline option.

    • When you run status --offline on a running server, the command only displays a portion of the available information.

    • You can now run the command against a remote DS server version 6 or later.

    • The output shows more information than before.

  • The dsreplication status command no longer shows metrics for M.C. (missing changes) and A.O.M.C. (age of oldest missing change). Instead, it shows the replication delay.

    For DS 6 and later servers that expose a replication delay metric, the command shows the delay value. For DS 5.5 and earlier servers, the command shows N/A.

  • The db/admin backend has been renamed db/adminRoot.

  • The global server configuration property, reject-unauthenticated-requests, a boolean, has been removed and replaced with the property, unauthenticated-requests-policy. The new property can be set to the following values:

    reject

    Same behavior as reject-unauthenticated-requests:true

    allow

    Same behavior as reject-unauthenticated-requests:false

    allow-discovery

    Like reject, but allows unauthenticated base object searches of the root DSE

  • The proxy backend configuration property service-discovery-mechanism has been renamed shard.

  • The encode-password command now displays the encoded password without additional characters.

    In other words, the output is now {scheme}encoded-password rather than Encoded Password: "{scheme}encoded-password".

DS 6.0

  • Root DN users no longer belong to a special group or have alternate names, nor are their accounts stored in the configuration file, config.ldif. Instead, directory superusers are now stored in their own, separate backends whose base DN is the user DN.

    When you upgrade a server, the upgrade process moves existing root DN users to their own LDIF backends. The LDIF files for these backends are found in the /path/to/opendj/db directory.

    You can choose to store directory superuser entries in database backends instead of LDIF backends. This allows you to encrypt the data on disk, for example. (Recreate the backend as a JE backend, and then import from the LDIF file.)

  • Previously, root DN user profiles had an alternate-bind-dn property. This was used to allow you to specify bind DNs such as cn=Directory Manager instead of cn=Directory Manager,cn=Root DNs,cn=config. As the root user DNs are now top-level DNs, this mechanism is no longer supported.

  • Directory superuser privileges are now specified as ds-privilege-name values on their entries.

    As a result of this change, the dsconfig get-root-dn-prop and dsconfig set-root-dn-prop subcommands are no longer supported.

  • For new installations, defaults have changed for the following JE backend properties:

    • The default for db-log-file-max has increased from 100 MB to 1 GB.

    • The default for db-log-filecache-size has increased from 100 to 200.

    • The default for disk-low-threshold is now 5% of the filesystem size, plus 5 GB.

    • The default for disk-full-threshold is now 5% of the filesystem size, plus 1 GB.

    The new defaults for disk-low-threshold and disk-full-threshold apply for replication servers as well.

  • Default connection handler names have been shortened. The "Connection Handler" suffixes have been dropped from the names.

    For example, the default "LDAP Connection Handler" is now named "LDAP".

  • Server configuration expressions have been reimplemented to align with other Ping Identity Platform software.

  • The setup command option --useJceks has been renamed to --useJceKeyStore.

    The setup command option --useJceksTrustStore has been renamed to --useJceTrustStore.

  • When creating a schema provider for a customized JSON query matching rule, the type to create is now json-query-equality-matching-rule, rather than json-schema.

  • For new DS server installations, the file layout has changed to mutable data, which is changed by the server at runtime, from potentially immutable configuration data.

    When you upgrade an existing server, the following files remain where they were in the old layout:

    • LDAP schema files located in the config/schema/ directory

    • The config/ads-truststore.pin and config/ads-truststore.pin files

    When you set up a new server, the new file layout is used for all files. The file names in the following table indicate where files have moved.

    Old Layout New Layout

    config/admin-backend.ldif

    config/admin-backend.ldif.old

    db/admin/admin-backend.ldif

    db/admin/admin-backend.ldif.old

    config/ads-truststore

    config/ads-truststore.pin

    db/ads-truststore/ads-truststore

    db/ads-truststore/ads-truststore.pin

    config/archived-configs

    var/archived-configs

    config/config.ldif.startok

    var/config.ldif.startok

    All LDAP schema files that were in the config/schema/ directory…​

    …​are now in the db/schema/ directory.

    config/tasks.ldif

    db/tasks/tasks.ldif

    All files that were in the config/upgrade/ directory…​

    …​are now in the var/upgrade/directory.

  • The command-line performance tools no longer accept printf-style format strings in templates. Instead, they use a {1}, {2}, {n} token syntax, where the {1} represents the first data source, {2} the second, and so on.

    As an example, the following command measures search throughput and response time. For each search, the command substitutes a random value for {1} from the specified range of rand(0,2000):

    $ searchrate -p 1389 -b "dc=example,dc=com" -g "rand(0,2000)" "(uid=user.{1})"

    The tools also support relative indexing, using {} tokens without numbers. In the example above, "(uid=user.{})" would reference the -g "rand(0,2000)" data source.

    This change affects the following tools:

    • addrate

    • authrate

    • modrate

    • searchrate

DS 5.5

  • Port-related options, and their short versions (such as -p for --port), no longer have default values when used in non-interactive mode:

    Commands affected Options affected

    addrate
    authrate
    backup
    control-panel
    dsconfig
    export-ldif
    import-ldif
    ldapcompare
    ldapdelete
    ldapmodify
    ldappasswordmodify
    ldapsearch
    manage-account
    manage-tasks
    modrate
    rebuild-index
    restore
    searchrate
    stop-ds

    --port

    dsreplication

    --port
    --port1
    --port2
    --portDestination
    --portSource
    --replicationPort1
    --replicationPort2

  • The -t | --numThreads option for the following tools has changed to -t | --numConcurrentRequests:

    • addrate

    • authrate

    • modrate

    • searchrate

  • The dsreplication command’s --baseDn option is now only available where it is applicable.

    The reset-change-number, resume, status, and suspend subcommands no longer accept a --baseDn option.

  • The product name has been aligned with the official name of the software release. The full product name starting with this release is ForgeRock Directory Services.

    This change impacts clients that depend on the product name.

    It also impacts the name used in product subcomponents. For example, in earlier releases the syslog handler sent messages with the process name OpenDJ. The syslog handler now sends messages with the process name ForgeRock.

  • Manually changing the enabled property of an external change log domain returns incoherent results across the topology and is not supported.

Deprecated

The functionality listed here is deprecated, and likely to be removed in a future release.

Since DS 7.5.1

  • The setup-profile --instancePath is deprecated.

    Run the setup-profile command located with the server instance.

Since DS 7.5

  • The Prometheus endpoint configuration property legacy-format is deprecated.

    Update your applications to work with the Prometheus text format.

  • To prepare for compliance with the OpenMetrics standard, all Prometheus counter metrics end in _total going forward.

    The following table lists deprecated metrics with their replacements:

    Deprecated counter Use this instead

    ds_connection_handlers_ldap_abandoned_requests

    ds_connection_handlers_ldap_abandoned_requests_total

    ds_replication_replica_replayed_internal_updates

    ds_replication_replica_replayed_internal_updates_total

    ds_replication_replica_replayed_updates_conflicts_resolved

    ds_replication_replica_replayed_updates_conflicts_resolved_total

    ds_replication_replica_replayed_updates_conflicts_unresolved

    ds_replication_replica_replayed_updates_conflicts_unresolved_total

    ds_replication_replica_sent_updates

    ds_replication_replica_sent_updates_total

    ds_replication_replica_updates_already_in_progress

    ds_replication_replica_updates_already_in_progress_total

Since DS 7.4.2

  • The dsrepl start-disaster-recovery and dsrepl end-disaster-recovery commands are deprecated.

    For instructions on what to use, refer to the disaster recovery documentation instead.

Since DS 7.4

  • Support for REST to LDAP is deprecated in favor of HDAP for future applications.

    REST to LDAP remains supported as documented for DS 7.3.

    For details about HDAP, refer to Use HDAP.

  • Support for /admin/config is deprecated.

    Use the dsconfig command to change the DS server configuration.

  • Support for /metrics/api is deprecated.

    Use Prometheus for HTTP monitoring instead. For details, refer to HTTP-based monitoring.

  • Support for the backwards-compatible file-based access log publisher is deprecated.

    Use the JSON format log publishers, which new DS servers use by default since the 5.0 release.

  • Support for the JMX connection handler is deprecated.

    JMX MBeans remain supported.

Since DS 7.3.5

  • The dsrepl start-disaster-recovery and dsrepl end-disaster-recovery commands are deprecated.

    For instructions on what to use, refer to the disaster recovery documentation instead.

Since DS 7.3

This release does not deprecate any functionality.

Since DS 7.2.5

  • The dsrepl start-disaster-recovery and dsrepl end-disaster-recovery commands are deprecated.

    For instructions on what to use, refer to the disaster recovery documentation instead.

Since DS 7.2

  • The ds-pwp-last-login-time attribute, which has directory string syntax, is deprecated.

    Use the new ds-last-login-time attribute instead. For an example, refer to Active accounts.

  • Support for CSV, Elasticsearch, JDBC, JMS, Splunk, and Syslog access logs is deprecated.

  • The DSML gateway is deprecated.

    For deployments that require HTTP access to directory data, consider HDAP as an alternative.

Since DS 7.1.8

  • The dsrepl start-disaster-recovery and dsrepl end-disaster-recovery commands are deprecated.

    For instructions on what to use, refer to the disaster recovery documentation instead.

Since DS 7.1.3

  • The following Prometheus counter metrics are deprecated:

    • ds_connection_handlers_ldap_abandoned_requests{ldap_handler}

    • ds_replication_replica_replayed_internal_updates{domain_name,server_id}

    • ds_replication_replica_replayed_updates_conflicts_resolved

    • ds_replication_replica_replayed_updates_conflicts_unresolved

    • ds_replication_replica_sent_updates

    • ds_replication_replica_updates_already_in_progress{domain_name,server_id}

    They are expected to be replaced with metrics whose names end in _total in a future release.

Since DS 7.1

  • The previous format for password file options is deprecated. The options remain supported until removal, but are now hidden in online help. This affects the following options:

    Deprecated form Use this form

    --bindPasswordFile

    --bindPassword:file

    --deploymentKeyPasswordFile

    --deploymentIdPassword:file

    --keyStorePasswordFile

    --keyStorePassword:file

    --keyStorePasswordFilePath(1)

    --monitorUserPasswordFile

    --monitorUserPassword:file

    --rootUserPasswordFile

    --rootUserPassword:file

    --trustStorePasswordFile

    --trustStorePassword:file

    --trustStorePasswordFilePath(1)

    (1) The --keyStorePasswordFilePath and --trustStorePasswordFilePath options apply only to the setup. They retain the path to the file in the configuration. The other options copy the cleartext password at setup time.

  • The dsrepl add-local-server-to-pre-7-0-topology command --masterKeyPairCertAlias and --rootCaCertAlias options are deprecated. The command now finds the certificates by introspecting the configuration.

    The options are now hidden in online help.

Since DS 7.0

  • Support for SNMP.

    DS software provides better options for monitoring servers, including support for Prometheus, Graphite, and LDAP. For details, refer to Monitoring.

    DS server software also includes a sample monitoring dashboard for Prometheus and Grafana, which is described in opendj/samples/grafana/README.md.

  • The pwdValidatorPolicy object class.

    For subentry password policies, use the object classes derived from ds-pwp-validator instead.

  • Reversible password storage schemes, and the cn=admin data base DN and adminData backend used to support them. This includes the following password storage schemes:

    • 3DES

    • AES

    • Blowfish

    • RC4

  • The ds-rlim-lookthrough-limit setting is deprecated.

Since DS 6.5

  • Regarding replication monitoring metrics, including those deprecated since 6.0:

    In mixed topologies, a directory server version 6 or earlier connected to a replication server version 6.5 or later cannot consume messages about other servers going offline. The monitoring framework reflects this as a delay on the directory server that could not consume the message.

    The delay is calculated correctly again once all servers in the topology are upgraded to at least version 6.5, or when the offline server comes back online and has seen a change to directory data.

    Monitor replication delay instead of using the deprecated metrics. For details, refer to Replication delay (LDAP) or Replication delay (Prometheus).

Since DS 6.0

  • The HTTP monitoring endpoint, /admin/monitor.

    Use /metrics/api or /metrics/prometheus instead.

  • The output of the status command. Its content is expected to change significantly in a future release.

  • The metrics for M.C. (missing changes) and A.O.M.C. (age of oldest missing change) shown by the dsreplication status command.

  • The following replication monitoring metrics:

    • LDAP metrics:

      • ds-mon-approx-oldest-change-not-synchronized

      • ds-mon-approximate-delay

      • ds-mon-missing-changes

    • Prometheus metrics:

      • ds_replication_changelog_connected_replicas_approx_oldest_change_not_synchronized_seconds

      • ds_replication_changelog_connected_replicas_approximate_delay_seconds

      • ds_replication_changelog_connected_replicas_missing_changes

Since DS 5.5

  • The PDB database backend type.

  • The dsreplication subcommands enable and disable.

    The subcommands have been replaced with configure and unconfigure, which more accurately reflect the permanence of the configuration changes made by these subcommands.

    The configure subcommand updates the server configuration to replicate data under the specified base DN.

    The unconfigure subcommand removes the replication configuration settings for the specified base DN, and removes references to the current server on other replicas.

    The dsreplication disable --disableAll subcommand option is now dsreplication unconfigure --unconfigureAll.

    The dsreplication disable --disableReplicationServer subcommand option is now dsreplication unconfigure --unconfigureReplicationServer.

  • The control-panel command.

  • The configuration expression implementation is expected to change in a future release.

Known issues

Due to a change to the Java platform between versions 11 and 17, the keys you generate with the dskeymgr and setup commands using Java 11 are incompatible with keys generated using Java 17 and later.

Using different Java versions is a problem if you use deployment ID-based CA certificates. Replication breaks, for example, when you use the setup command for a new server with a more recent version of Java than was used to set up existing servers.

For details on resolving the issue, refer to Incompatible Java versions.

The following important issues remained open at the time of the latest release for each version.

DS 7.5.1

Issue ID Summary Status

OPENDJ-10532

The case of an entryDN can be changed once replicated

Open

OPENDJ-8093

Stale replica information returned from cn=monitor

Open

DS 7.4.3

Issue ID Summary Status1

OPENDJ-10083

Creation of password validator fails if password-character-set:punct characters not surrounded by single quotes at command line

Open

OPENDJ-10010

HTTP/HTTPS connection handler only creates one listener address when multiple addresses are specified

Open

OPENDJ-9935

Some controls are not correctly handled beyond a single backend’s base DN

Open

OPENDJ-9812

Schema updates are not crash resilient

Open

OPENDJ-8093

Stale replica information returned from cn=monitor

Open

OPENDJ-6149

The Global Access Control Policy option within the dsconfig tool is misleading as is the error message returned

Open

1 Upgrade to the listed version or later to get the fix.

DS 7.3.5

Issue ID Summary Status1

OPENDJ-10306

Null pointer exceptions due to unrecognized (UNKNOWN) requests

Fixed in 7.5.0

OPENDJ-10171

etag in schema config entry leads to schema violation error when attempting to update cn=schema

Fixed in 7.5.0

OPENDJ-10032

Inconsistent password storage scheme rehash policies can create multiple userPassword values

Fixed in 7.5.1, 7.4.3

OPENDJ-9913

Bind via REST API ignores force-change-on-add in password policy

Fixed in 7.5.0

OPENDJ-9812

Schema updates are not crash resilient

Open

OPENDJ-9692

Unindexed privilege not enforced for unindexed sorted and paged searches

Fixed in 7.4.0

OPENDJ-9544

Searches for attributes that do not exist in schema still take time

Fixed in 7.4.0

OPENDJ-9524

create-rc-script: systemd service should run start-ds/stop-ds, and not write a wrapper init script

Fixed in 7.4.0

OPENDJ-9379

Restoring a backup fails if the 02-config.ldif schema file is missing

Open

OPENDJ-9369

RxCachedThreadScheduler threads increase over time

Open

OPENDJ-9268

Cannot store zero-length mail attribute values

Open

OPENDJ-8093

Stale replica information returned from cn=monitor

Open

OPENDJ-7544

dsconfig online sometimes triggers a duplicate server IDs error

Open

1 Upgrade to the listed version or later to get the fix.

DS 7.2.5

Issue ID Summary Status1

OPENDJ-10010

HTTP/HTTPS connection handler only creates one listener address when multiple addresses are specified

Open

OPENDJ-9790

Cannot create GeneralizedTimes with large fractional values

Fixed in 7.3.3, 7.4.0

OPENDJ-9379

Restoring a backup fails if the 02-config.ldif schema file is missing

Open

OPENDJ-9369

RxCachedThreadScheduler threads increase over time

Open

OPENDJ-9300

DS 7.3 upgrade requires a full index rebuild

Fixed in 7.3.0

OPENDJ-9268

Cannot store zero-length mail attribute values

Open

OPENDJ-9250

The max-allowed-client-connections limit should not apply to the admin connector

Fixed in 7.3.0

OPENDJ-9213

The dsconfig list-replication-domains output contains redundant columns

Fixed in 7.3.0

OPENDJ-9167

Reading isMemberOf after adding, deleting, or renaming a static group can block for a long time when there are many static groups

Fixed in 7.3.0

OPENDJ-9128

Entry cache and group manager use too much memory

Fixed in 7.3.0

OPENDJ-9000

Missing RS - RS heartbeats are not detected

Fixed in 7.3.0

OPENDJ-8849

An isolated DS (no RS) should return UNAVAILABLE instead of UNWILLING_TO_PERFORM

Fixed in 7.4.0

OPENDJ-8233

RS connection error reason is not logged when hostname is not resolvable

Fixed in 7.3.0

OPENDJ-8093

Stale replica information returned from cn=monitor

Open

OPENDJ-7925

The searchrate tool does not retrieve data when used simultaneously with the modrate tool on groups

Fixed in 7.3.0

OPENDJ-7844

Difficult to override standard LDAP schema defined in 00-core.ldif

Open

OPENDJ-7763

Proxy service discovery with RS-only and DS-only seems not to route search

Open

OPENDJ-7743

Setting DN-valued properties to a config expression causes startup to fail

Open

OPENDJ-7741

dsrepl add-local-server-to-pre-7-0-topology requires a base DN for an RS

Open

OPENDJ-7219

PreParseAddOperation cannot remove attributes

Open

OPENDJ-6579

Schema is not populated to remote instances if added before enabling replication

Open

OPENDJ-6468

ds-mon-* Prometheus metrics are labeled as gauge but seem to be counters

Open

OPENDJ-6022

PTA to Active Directory returns more than one entry when only one exists

Open

OPENDJ-3409

Retention and rotation policies do not work with CAUD handlers

Fixed in 7.3.0

1 Upgrade to the listed version or later to get the fix.

DS 7.1.8

Issue ID Summary Status1

OPENDJ-10553

DN syntax does not perform strict enforcement of country codes in RDNs if enabled

Open

OPENDJ-10532

The case of an entryDN can be changed once replicated

Open

OPENDJ-9790

Cannot create GeneralizedTimes with large fractional values

Fixed in 7.3.3, 7.4.0

OPENDJ-9250

The max-allowed-client-connections limit should not apply to the admin connector

Fixed in 7.3.0

OPENDJ-9213

The dsconfig list-replication-domains output contains redundant columns

Fixed in 7.3.0

OPENDJ-9200

Backup process logs incorrect number of jdb files

Fixed in 7.2.3, 7.3.0

OPENDJ-9158

AM User/CTS affinity failover doesn’t happen when DS’s disk volume is detached

Fixed in 7.2.3, 7.3.3, 7.4.0

OPENDJ-9033

DS refuses to start and throws an NPE when a subordinate-base-dn is used

Fixed in 7.2.1, 7.3.0

OPENDJ-8917

ReplicationBroker.java swallowed important debugging info

Fixed in 7.2.1, 7.3.0

OPENDJ-8870

RFC2307bis schema is different from the internet-draft

Fixed in 7.2.0

OPENDJ-8831

Log when and why the ChangeNumberIndexer cannot move forward

Fixed in 7.2.1, 7.3.0

OPENDJ-8829

Error messages incorrectly mentions cn=System,cn=monitor

Fixed in 7.2.0

OPENDJ-8808

Potential deadlock between overlapping rename operations

Fixed in 7.2.1, 7.3.0

OPENDJ-8805

dsconfig exits when setting the "bootstrap-replication-server" property with a <null> value in the "Replication Service Discovery Mechanism".

Fixed in 7.2.0

OPENDJ-8778

Setup option --trustStorePassword:file behaves differently than --trustStorePasswordFile

Fixed in 7.2.0

OPENDJ-8473

Upgrade does not migrate ds-cfg-je-property values

Fixed in 7.2.0

OPENDJ-8280

DS will not start when using a non-US locale after changing config

Fixed in 7.2.0

OPENDJ-8233

RS connection error reason is not logged when hostname is not resolvable

Fixed in 7.3.0

OPENDJ-8093

Stale replica information returned from cn=monitor

Open

OPENDJ-8008

OutOfMemoryException in subtree delete

Fixed in 7.2.0

OPENDJ-7942

The server ignores critical VLV request controls when falling back to an unindexed search

Fixed in 7.3.0

OPENDJ-7941

Client connections to proxy time out after 10 seconds regardless of activity

Fixed in 7.2.3, 7.3.0

OPENDJ-7925

The searchrate tool does not retrieve data when used simultaneously with the modrate tool on groups

Fixed in 7.3.0

OPENDJ-7844

Difficult to override standard LDAP schema defined in 00-core.ldif

Open

OPENDJ-7837

Schema replication issues when adding a new server with conflicting schema to an existing topology

Open

OPENDJ-7788

dsrepl initialize from 5.5 causes the ReplicationDomain listener to die with an NPE

Open

OPENDJ-7763

Proxy replication service discovery with RS-only and DS-only seems not to route search

Open

OPENDJ-7743

Setting DN-valued properties to a config expression causes startup to fail

Open

OPENDJ-7741

dsrepl add-local-server-to-pre-7-0-topology requires a base DN for an RS

Open

OPENDJ-7640

Supportextract does not collect all security stores when several keystores have the same basename

Fixed in 7.2.1, 7.3.0

OPENDJ-7596

dsbackup has global connection options that do not work with some subcommands

Fixed in 7.2.0

OPENDJ-7544

dsconfig online sometimes triggers a duplicate server IDs error

Open

OPENDJ-7516

External cn=changelog is not updated while replication initialization is in progress

Fixed in 7.2.1, 7.3.0

OPENDJ-7219

PreParseAddOperation cannot remove attributes

Open

OPENDJ-6579

Schema is not populated to remote instances if added before enabling replication

Open

OPENDJ-6468

ds-mon-* Prometheus metrics are labeled as gauge but seem to be counters

Open

OPENDJ-6022

PTA to Active Directory returns more than one entry when only one exists

Open

OPENDJ-3409

Retention and rotation policies do not work with CAUD handlers

Fixed in 7.3.0

1 Upgrade to the listed version or later to get the fix.

DS 7.0.2

Issue ID Summary Status1

OPENDJ-9790

Cannot create GeneralizedTimes with large fractional values

Fixed in 7.3.3, 7.4.0

OPENDJ-9472

Upgrade does not correctly handle previously patched upgrades

Fixed in 7.1.6, 7.2.3, 7.3.2, 7.4.0

OPENDJ-9347

GSSAPISASLMechanismHandler incorrectly formats the login conf file

Fixed in 7.1.5, 7.2.2, 7.3.0

OPENDJ-9250

The max-allowed-client-connections limit should not apply to the admin connector

Fixed in 7.3.0

OPENDJ-9213

The dsconfig list-replication-domains output contains redundant columns

Fixed in 7.3.0

OPENDJ-9033

DS refuses to start and throws an NPE when a subordinate-base-dn is used

Fixed in 7.2.1, 7.3.0

OPENDJ-8874

Full replica purge should write CSN information right away

Fixed in 7.1.3, 7.2.0

OPENDJ-8870

RFC2307bis schema is different from the internet-draft

Fixed in 7.2.0

OPENDJ-8829

Error messages incorrectly mentions cn=System,cn=monitor

Fixed in 7.2.0

OPENDJ-8815

dsrepl status does not take bad data status into account

Fixed in 7.1.3, 7.2.1, 7.3.0

OPENDJ-8778

Setup option --trustStorePassword:file behaves differently than --trustStorePasswordFile

Fixed in 7.2.0

OPENDJ-8698

DS should write config archive files in a crash consistent way

Fixed in 7.1.3, 7.2.0

OPENDJ-8613

No error is logged when sending of task completion notification email fails

Fixed in 7.1.3, 7.2.0

OPENDJ-8473

Upgrade does not migrate ds-cfg-je-property values

Fixed in 7.2.0

OPENDJ-8383

dsrepl status fails when certificates accepted interactively

Fixed in 7.2.0

OPENDJ-8378

dsrepl status shows deleted replication domains

Fixed in 7.1.3, 7.2.1, 7.3.0

OPENDJ-8280

DS will not start when using a non-US locale after changing config

Fixed in 7.2.0

OPENDJ-8243

Indexes could cause ldapsearch to return multiple copies of the same entry

Fixed in 7.1.1, 7.2.0

OPENDJ-8227

Deadlock between Changelog DB purger and Thread for RS session

Fixed in 7.2.0

OPENDJ-8093

Stale replica information returned from cn=monitor

Open

OPENDJ-8072

dsrepl initialize hangs after re-enabling replication

Open

OPENDJ-8046

Changelog files are not closed after searching cn=changelog

Fixed in 7.1.1, 7.2.0

OPENDJ-8028

Prometheus monitoring doesn’t work with Telegraf

Fixed in 7.1.1, 7.2.0

OPENDJ-8024

Prevent configuration of VLV indexes with scope base-object

Fixed in 7.2.0

OPENDJ-7991

makeldif: "invalid number of arguments" using DateTime tag with colons

Fixed in 7.2.0

OPENDJ-7971

dsbackup fails when JDB file cleaned

Fixed in 7.1.1, 7.2.0

OPENDJ-7970

Ensure that DS is crash resilient for all runtime file changes

Fixed in 7.1.2, 7.2.0

OPENDJ-7942

The server ignores critical VLV request controls when falling back to an unindexed search

Fixed in 7.3.0

OPENDJ-7941

Client connections to proxy time out after 10 seconds regardless of activity

Fixed in 7.2.3, 7.3.0

OPENDJ-7928

JSON normalization cannot handle nested arrays

Fixed in 7.1.0

OPENDJ-7905

Schema replication error after upgrade

Fixed in 7.1.0

OPENDJ-7889

Configuring group-id against DS-only instance requires restart for the change to be reported by monitoring

Fixed in 7.1.1, 7.2.0

OPENDJ-7867

NPE if dsbackup bucket name contains underscores

Fixed in 7.1.0

OPENDJ-7851

Supportextract tool: clobbers the server.out filehandle when kill -3 is used.

Fixed in 7.1.0

OPENDJ-7847

StaticGroup’s objectclass sanity checks are unhelpful

Fixed in 7.1.0

OPENDJ-7844

Difficult to override standard LDAP schema defined in 00-core.ldif

Open

OPENDJ-7837

Schema replication issues when adding a new server with conflicting schema to an existing topology

Open

OPENDJ-7818

Package based upgrade does not support instances running as non-root

Fixed in 7.1.1, 7.2.0

OPENDJ-7816

dsbackup fails when destination is a symbolic link to a real directory

Fixed in 7.1.2, 7.2.0

OPENDJ-7788

dsrepl initialize from 5.5 causes the ReplicationDomain listener to die with an NPE

Open

OPENDJ-7761

DS sporadically hangs while reconnecting to an RS

Fixed in 7.1.0

OPENDJ-7758

DS 7.0 dsrepl add-local-server-to-pre-7-0-topology: NPE if master-key is in different keystore

Fixed in 7.1.0

OPENDJ-7755

DS 7.0 replication with older version, CryptoManager failed to import the symmetric key entry

Fixed in 7.1.1, 7.2.0

OPENDJ-7744

dsrepl initialize in a topology with DS7 and DS 5.5 fails if DS7 serverId starts with 0

Fixed in 7.1.1, 7.2.0

OPENDJ-7743

Setting DN-valued properties to a config expression causes startup to fail

Open

OPENDJ-7737

ConfigurationFramework#initialize0 changes the class loader without clearing the map of registered jar files

Fixed in 7.1.0

OPENDJ-7706

Unable to set up replication between standalone DS and RS servers and older versions of DS or OpenDJ

Open

OPENDJ-7699

Supportextract throws NoSuchElementException when the server.pid file is empty

Fixed in 7.1.0

OPENDJ-7689

dsrepl add-local-server-to-pre-7-0-topology does not tolerate separate keystore and truststore

Fixed in 7.1.0

OPENDJ-7688

Spurious DS disconnections because of missing heartbeat

Fixed in 7.2.1, 7.3.0

OPENDJ-7687

Global Access Control Policy regarding cn=schema is too restrictive

Fixed in 7.1.0

OPENDJ-7655

Replaying multiple MODIFYDN operations is very slow

Fixed in 7.1.0

OPENDJ-7653

replication issue in the cloud after ldapadd

Fixed in 7.1.0

OPENDJ-7596

dsbackup has global connection options that do not work with some subcommands

Fixed in 7.2.0

OPENDJ-7516

External cn=changelog is not updated while replication initialization is in progress

Fixed in 7.2.1, 7.3.0

OPENDJ-7513

Missing subSchemaSubEntry attribute from rootDSE access controls

Fixed in 7.1.0

OPENDJ-7481

JSON logs do not contain proxy auth DN

Fixed in 7.1.0

OPENDJ-7474

Docker sample README.md provides wrong instructions for running the container

Fixed in 7.1.0

OPENDJ-7322

IndexOutOfBoundsException while configuring max-replication-delay-health-check

Fixed in 7.1.0

OPENDJ-7219

PreParseAddOperation cannot remove attributes

Open

OPENDJ-7014

Some operational attributes are not replicated when a restore --dry-run is used against an online server

Open

OPENDJ-7011

RFC 2252 Binary syntax doesn’t use ";binary" transfer encoding

Open

OPENDJ-6791

RS reconnect delay is too aggressive

Fixed in 7.3.3, 7.4.0

OPENDJ-6774

Searches no longer return attributes in the order requested

Open

OPENDJ-6579

Schema is not populated to remote instances if added before enabling replication

Open

OPENDJ-6468

ds-mon-* Prometheus metrics are labeled as gauge but seem to be counters

Open

OPENDJ-6022

PTA to Active Directory returns more than one entry when only one exists

Open

OPENDJ-5602

JDK11: unexpected return code 81 using SASL External

Open

OPENDJ-4935

Replication instability and divergence when using high latency disks

Fixed in 7.1.2, 7.2.0

OPENDJ-3409

Retention and rotation policies do not work with CAUD handlers

Fixed in 7.3.0

1 Upgrade to the listed version or later to get the fix.

DS 6.5.6

Issue ID Summary Status1

OPENDJ-9544

Searches for attributes that do not exist in schema still take time

Fixed in 7.4.0

OPENDJ-8842

Proxy DS does not cancel psearch to Backend DS if psearch is cancelled

Fixed in 7.0.0

OPENDJ-8838

Backslashes in files read via a config expression are mishandled

Open

OPENDJ-8829

Error messages incorrectly mentions cn=System,cn=monitor

Fixed in 7.2.0

OPENDJ-8613

No error is logged when sending of task completion notification email fails

Fixed in 7.1.3, 7.2.0

OPENDJ-8473

Upgrade does not migrate ds-cfg-je-property values

Fixed in 7.2.0

OPENDJ-8460

Deploying DS6.5.5+JDK11 causes continuous hostname resolution errors in pods with DS6.5.5+JDK8

Open

OPENDJ-8234

ADD of large entry is not replicated

Open

OPENDJ-8226

Support Extract tool ignores non-default changelogDb location when collecting domains.state file

Fixed in 7.1.1, 7.2.0

OPENDJ-8205

Log message lists an object’s string representation instead of a file name

Fixed in 7.1.1, 7.2.0

OPENDJ-8137

LDIF backend silently rejects entries that fail schema validation

Fixed in 7.2.0

OPENDJ-8089

rest2ldap gateway returns string instead of boolean

Fixed in 7.1.0

OPENDJ-8046

Changelog files are not closed after searching cn=changelog

Fixed in 7.1.1, 7.2.0

OPENDJ-8024

Prevent configuration of VLV indexes with scope base-object

Fixed in 7.2.0

OPENDJ-8018

Older servers cannot create a new symmetric key in mixed version topologies

Open

OPENDJ-7942

The server ignores critical VLV request controls when falling back to an unindexed search

Fixed in 7.3.0

OPENDJ-7919

A search for modifyTimestamp>=00000101000000Z results in a YEAR error and disconnect

Fixed in 7.0.0

OPENDJ-7810

JMX connections are always considered insecure

Fixed in 7.0.2, 7.1.0

OPENDJ-7687

Global Access Control Policy regarding cn=schema is too restrictive

Fixed in 7.1.0

OPENDJ-7654

DS is sometimes unable to connect to RS after full gc

Fixed in 7.2.0

OPENDJ-7643

Log that is supposedly generated from dsreplication operation is empty or does not exist

Open

OPENDJ-7640

Supportextract does not collect all security stores when several keystores have the same basename

Fixed in 7.2.1, 7.3.0

OPENDJ-7516

External cn=changelog is not updated while replication initialization is in progress

Fixed in 7.2.1, 7.3.0

OPENDJ-7288

LDAPS Handlers "SelectorRunner" thread hangs up in Grizzly SSLUtils.sslEngineUnwrap

Fixed in 7.1.0

OPENDJ-7219

PreParseAddOperation cannot remove attributes

Open

OPENDJ-7099

Query for AclRightsInfos can throw an exception due to invalid attribute description

Fixed in 7.0.0

OPENDJ-7011

RFC 2252 Binary syntax doesn’t use ";binary" transfer encoding

Open

OPENDJ-6977

DS expects root user password instead of admin user password in standalone DS , RS deployments

Open

OPENDJ-6931

DS to RS failover mechanism does not account for non responsive established connections

Fixed in 7.0.0

OPENDJ-6774

Searches no longer return attributes in the order requested

Open

OPENDJ-6579

Schema is not populated to remote instances if added before enabling replication

Open

OPENDJ-6499

Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11

Fixed in 7.0.0

OPENDJ-6468

ds-mon-* Prometheus metrics are labeled as gauge but seem to be counters

Open

OPENDJ-6380

Warning message for duplicate objectclass schema definition is misleading

Open

OPENDJ-6378

Entries are returned with attribute names using inconsistent case

Fixed in 7.0.0

OPENDJ-6358

backUpAll doesn’t backup ads-truststore.pin

Open

OPENDJ-6223

Searching telephoneNumber field with a non-numeric value returns all the records

Fixed in 7.0.0

OPENDJ-6221

Logging for CONNECT operations are not saved in Nanosecond format

Fixed in 7.0.0

OPENDJ-6198

Server won’t start if I try to configure a ConnectionHandler to listen on 2 IP addresses

Fixed in 7.0.0

OPENDJ-6149

The Global Access Control Policy option within the dsconfig tool is misleading as is the error message returned

Open

OPENDJ-6116

Unspecified Communications Error when multiple rest2ldap endpoints share configuration elements

Fixed in 7.0.0

OPENDJ-6022

PTA to Active Directory returns more than one entry when only one exists

Open

OPENDJ-5985

Divergence of "cn=admin data" after setting up secure replication and encrypted backends

Open

OPENDJ-5956

Data discrepancy between servers if the same attribute has extra spaces in RDN

Open

OPENDJ-5745

Azure AD Connector Uses Deprecated Untrusted/Unsigned MSOnline Powershell Module

Open

OPENDJ-5664

JDK 11: illegal reflective access warning during import-ldif

Fixed in 7.0.0

OPENDJ-5663

JDK 11: illegal reflective access warning on setup (without profile)

Open

OPENDJ-5661

supportextract tool help and version options are different from other tools

Fixed in 7.0.0

OPENDJ-5660

JDK 11: illegal reflective access warning on setup (with profile)

Fixed in 7.0.0

OPENDJ-5590

Proxy: server discovery fails silently when proxy base-dn differs from backend’s base-dn

Fixed in 7.0.0

OPENDJ-5201

Tools may prompt to trust certificate multiple times for different reasons

Open

OPENDJ-5174

dsreplication initialize-all task sometimes fails with STOPPED_BY_ERROR

Open

OPENDJ-4943

NullPointerException in BackupManager.java when backup --hash is used offline

Open

OPENDJ-4475

Attribute value password validator does not check substrings in reversed password

Fixed in 7.0.0

OPENDJ-4008

dsconfig exits with error when listing global access control policy

Open

1 Upgrade to the listed version or later to get the fix.

DS 6.0.0

Issue ID Summary Status1

OPENDJ-8845

Persistent search entry change notifications cannot be read by JNDI

Fixed in 6.5.6, 7.1.3, 7.2.0

OPENDJ-8829

Error messages incorrectly mentions cn=System,cn=monitor

Fixed in 7.2.0

OPENDJ-8613

No error is logged when sending of task completion notification email fails

Fixed in 7.1.3, 7.2.0

OPENDJ-8473

Upgrade does not migrate ds-cfg-je-property values

Fixed in 7.2.0

OPENDJ-8060

Changelog search results in error "Unexpected message type when trying to create changelog entry for dn ou=Service : class org.opends.server.replication.protocol.ReplicaOfflineMsg"

Open

OPENDJ-8024

Prevent configuration of VLV indexes with scope base-object

Fixed in 7.2.0

OPENDJ-7942

The server ignores critical VLV request controls when falling back to an unindexed search

Fixed in 7.3.0

OPENDJ-7919

A search for modifyTimestamp>=00000101000000Z results in a YEAR error and disconnect

Fixed in 7.0.0

OPENDJ-7818

Package based upgrade does not support instances running as non-root

Fixed in 6.5.5, 7.1.1, 7.2.0

OPENDJ-7810

JMX connections are always considered insecure

Fixed in 7.0.2, 7.1.0

OPENDJ-7481

JSON logs do not contain proxy auth DN

Fixed in 6.5.5, 7.1.0

OPENDJ-7020

rebuild-index offline ignores rebuild-index.offline.java-args

Fixed in 6.5.4, 7.0.0

OPENDJ-7014

Some operational attributes are not replicated when a restore --dry-run is used against an online server

Fixed in 6.5.4

OPENDJ-6994

strict-format-country-string does not affect the server

Fixed in 6.5.4, 7.0.0

OPENDJ-6977

DS expects root user password instead of admin user password in standalone DS , RS deployments

Open

OPENDJ-6733

SMTP handler sends incorrect email when account status is modified by manually updating ds-pwp-account-disabled attribute

Fixed in 6.5.3, 7.0.0

OPENDJ-6711

Replication status reports The provided value "5277383431" could not be parsed as an integer.

Fixed in 6.5.4, 7.0.0

OPENDJ-6579

Schema is not populated to remote instances if added before enabling replication

Open

OPENDJ-6557

IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11

Fixed in 6.5.3, 7.0.0

OPENDJ-6378

Entries are returned with attribute names using inconsistent case

Fixed in 7.0.0

OPENDJ-6377

Replication replay: issues with ReplaySynchronizer

Fixed in 6.5.4, 7.0.0

OPENDJ-6235

Stale ds-sync-hist attribute values reappear in the entry after replication is unconfigured

Fixed in 6.5.2, 7.0.0

OPENDJ-6222

SMTP messages are sometimes not encoded with the correct charset

Fixed in 6.5.2, 7.0.0

OPENDJ-6221

Logging for CONNECT operations are not saved in Nanosecond format

Fixed in 7.0.0

OPENDJ-6196

HTTP connection handler continues to listen to 0.0.0.0 after setting listen-address

Fixed in 6.5.2, 7.0.0

OPENDJ-6188

Backend returns an incorrect error type when disk space hits low threshold

Fixed in 6.5.4, 7.0.0

OPENDJ-6173

cn=monitor memory pool stats do not get updated properly over time

Fixed in 6.5.2, 7.0.0

OPENDJ-5956

Data discrepancy between servers if the same attribute has extra spaces in RDN

Open

OPENDJ-5636

ServiceDiscoveryMechanism can return incorrect Partition

Open

OPENDJ-5606

Upgrade to DS 6.0 fails if multiple filesystems are involved

Fixed in 6.5.0

OPENDJ-5594

StackOverflowError with groupOfURLs when isMemberOf is requested

Fixed in 6.5.0

OPENDJ-5582

LdapClientSocket connection leaked when handshake fails

Fixed in 6.1.0, 6.5.0

OPENDJ-5558

SDK: LdapUrl is not IPv6 clean

Fixed in 6.5.0

OPENDJ-5503

Change number "not found in pending list"

Open

OPENDJ-5496

DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

Fixed in 6.5.0

OPENDJ-5481

ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

Fixed in 6.5.0

OPENDJ-5440

When disk space goes from "low" to "normal" state for changelog, RS rebinds to port and fails

Fixed in 6.5.0

OPENDJ-5423

Incorrectly reported missing parent entries cause import-ldif and index rebuilds to fail

Fixed in 6.5.0

OPENDJ-5406

Duplicate entry DNs if entry is deleted and then added during export-ldif or dsreplication initialize

Fixed in 6.5.0

OPENDJ-5301

Encrypted or signed backups of task or schema backend cannot be restored

Fixed in 6.5.0

OPENDJ-5272

"idle-time-limit" global configuration property has no effect

Fixed in 6.5.0

OPENDJ-5260

Grizzly pre-allocates a useless MemoryManager

Fixed in 6.5.0

OPENDJ-5218

Changelog "break ordering" logging is too noisy

Open

OPENDJ-5210

Possible memory-leak if request received while bind in progress

Fixed in 6.5.0

OPENDJ-5140

PersistentSearch heap usage grows

Fixed in 6.5.0

OPENDJ-5137

Reading compressed or encrypted entries fails to close the InflaterInputStream

Fixed in 6.5.0

OPENDJ-5074

dsreplication status reports "No replication information found" after DS 6 upgrade

Open

OPENDJ-5039

Upgrade task tries to move the opendmk-jarfile to a wrong path on instances with split instance/tool folders

Open

OPENDJ-5012

Replication: reset-change-number fails when DS exposes different public naming contexts (replicated or not)

Fixed in 6.5.0

OPENDJ-4967

Rest2ldap UndeliverableException occurs when a referenced entity cannot be fetched

Fixed in 6.5.0

OPENDJ-4948

Certificate Mappers fail to use only local backends when matching user entries

Open

OPENDJ-4947

SASL DIGEST-MD5: bind request failed with protocol error

Fixed in 6.5.0

OPENDJ-4935

Replication instability and divergence when using high latency disks

Fixed in 7.1.2, 7.2.0

OPENDJ-4920

LDAPS connections which are still inside handshake do not get idle closed

Open

OPENDJ-4898

Server fails to ignore attempts to abandon certain operations

Open

OPENDJ-4881

Updates via Rest2ldap fail if record does not contain the necessary object class

Fixed in 6.5.0

OPENDJ-4877

Perf regression on add/delete with default indexes

Open

OPENDJ-4852

Backup with --backupAll misses a few backends

Fixed in 6.5.0

OPENDJ-4851

Exception when uninstalling/stopping replication topology

Open

OPENDJ-4775

Proxy keeps searching on ports removed from Static Discovery Mechanism

Open

OPENDJ-4764

REST2LDAP gateway sasl-plain authorization doesn’t handle dn: correctly

Fixed in 7.0.0

OPENDJ-4714

SSL handshake now sends 16KB list of CA issuer DNs

Fixed in 7.0.0

OPENDJ-4693

Online rebuild-index command ends with a benign error message

Open

OPENDJ-4589

dsconfig --offline is not case-insensitive

Fixed in 6.5.0

OPENDJ-4475

Attribute value password validator does not check substrings in reversed password

Fixed in 7.0.0

OPENDJ-4474

Changing the JE db-logging-level to a non-allowed value disables the backend on restart

Open

OPENDJ-4058

IDM Account Status notification handler doesn’t look for certificates correctly

Fixed in 6.5.4, 7.0.0

OPENDJ-4008

dsconfig exits with error when listing global access control policy

Open

OPENDJ-390

ConcurrentModificationException during backup all

Open

1 Upgrade to the listed version or later to get the fix.

DS 5.5.3

Issue ID Summary Status1

OPENDJ-8845

Persistent search entry change notifications cannot be read by JNDI

Fixed in 6.5.6, 7.1.3, 7.2.0

OPENDJ-8712

DS replica switching from local RS to remote RS might incur transient high response time

Open

OPENDJ-8610

RS-RS session thread stuck in Session.send could prevent DS from shutdown

Fixed in 7.1.5, 7.2.0

OPENDJ-8060

Changelog search results in error "Unexpected message type when trying to create changelog entry for dn ou=Service : class org.opends.server.replication.protocol.ReplicaOfflineMsg"

Open

OPENDJ-8024

Prevent configuration of VLV indexes with scope base-object

Fixed in 7.2.0

OPENDJ-7810

JMX connections are always considered insecure

Fixed in 7.0.2, 7.1.0

OPENDJ-7788

dsrepl initialize from 5.5 causes the ReplicationDomain listener to die with an NPE

Open

OPENDJ-7481

JSON logs do not contain proxy auth DN

Fixed in 6.5.5, 7.1.0

OPENDJ-7341

Changes made after disk space recovery might not be sync’d to other nodes

Open

OPENDJ-7020

rebuild-index offline ignores rebuild-index.offline.java-args

Fixed in 6.5.4, 7.0.0

OPENDJ-7014

Some operational attributes are not replicated when a restore --dry-run is used against an online server

Fixed in 6.5.4

OPENDJ-6994

strict-format-country-string does not affect the server

Fixed in 6.5.4, 7.0.0

OPENDJ-6977

DS expects root user password instead of admin user password in standalone DS , RS deployments

Open

OPENDJ-6697

Unique Attribute Plugin fails to clear DN’s on a failed ADD from a Client Unbind

Open

OPENDJ-6579

Schema is not populated to remote instances if added before enabling replication

Open

OPENDJ-6521

setup checks admin port despite options --skipPortCheck --doNotStart

Fixed in 6.5.3, 7.0.0

OPENDJ-6378

Entries are returned with attribute names using inconsistent case

Fixed in 7.0.0

OPENDJ-6240

DS not honoring per user resource limits when processing RESTful operation requests

Fixed in 6.5.3, 7.0.0

OPENDJ-6090

Error message 'dsreplication reset-change-number' does not list the affected baseDNs

Open

OPENDJ-6074

Attribute value uniqueness is not checked for custom attributes when a modify DN request with newSuperiorDN is performed

Fixed in 7.0.0

OPENDJ-5985

Divergence of "cn=admin data" after setting up secure replication and encrypted backends

Open

OPENDJ-5636

ServiceDiscoveryMechanism can return incorrect Partition

Open

OPENDJ-5594

StackOverflowError with groupOfURLs when isMemberOf is requested

Fixed in 6.5.0

OPENDJ-5558

SDK: LdapUrl is not IPv6 clean

Fixed in 6.5.0

OPENDJ-5496

DS fails to reconnect to an RS, disconnecting in handshake phase, after system restart

Fixed in 6.5.0

OPENDJ-5481

ERR_OPERATION_NOT_FOUND_IN_PENDING message used twice in different contexts

Fixed in 6.5.0

OPENDJ-5474

java.awt.AWTError when running status command on system without X11

Fixed in 6.0.0

OPENDJ-5301

Encrypted or signed backups of task or schema backend cannot be restored

Fixed in 6.5.0

OPENDJ-5293

Proxy: Replication Service Discovery Mechanism logs WARNING

Fixed in 6.5.0

OPENDJ-5229

Objectclass matching fails when objectclass has multiple names

Fixed in 6.0.0

OPENDJ-5217

Weird error message in logs for input string

Fixed in 6.5.0

OPENDJ-5140

PersistentSearch heap usage grows

Fixed in 6.5.0

OPENDJ-5115

ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory

Fixed in 6.5.0

OPENDJ-5070

Over allocation of db-cache-percent for existing backend results in empty error

Open

OPENDJ-4935

Replication instability and divergence when using high latency disks

Fixed in 7.1.2, 7.2.0

OPENDJ-4920

LDAPS connections which are still inside handshake do not get idle closed

Open

OPENDJ-4898

Server fails to ignore attempts to abandon certain operations

Open

OPENDJ-4851

Exception when uninstalling/stopping replication topology

Open

OPENDJ-4823

Adding a third replica breaks key ordering of the changelogDb

Fixed in 6.0.0

OPENDJ-4764

REST2LDAP gateway sasl-plain authorization doesn’t handle dn: correctly

Fixed in 7.0.0

OPENDJ-4587

Replication: Medium consistency point frozen when a DS+RS is unconfigured or a DS+RS is stopped

Fixed in 6.0.0

OPENDJ-4521

JSON logger can eat lots of cpu on an otherwise idle server

Fixed in 6.0.0

OPENDJ-4475

Attribute value password validator does not check substrings in reversed password

Fixed in 7.0.0

OPENDJ-4474

Changing the JE db-logging-level to a non-allowed value disables the backend on restart

Open

OPENDJ-4312

addrate raises NoSuchElementException when using numusers

Open

OPENDJ-4243

Replication status’s Age of Oldest Missing Change (AOMC) is not reset even if Missing Changes (MC) is 0

Open

OPENDJ-4229

status command with keystore options throws NullPointerException

Fixed in 6.5.0

OPENDJ-4218

RS not sending update for domain cn=admin data

Fixed in 6.0.0

OPENDJ-4109

The ldappasswordmodify command fails when requested through a directory proxy server

Open

OPENDJ-4106

Incorrect error when importing bad LDIF on setup

Open

OPENDJ-4058

IDM Account Status notification handler doesn’t look for certificates correctly

Fixed in 6.5.4, 7.0.0

OPENDJ-4008

dsconfig exits with error when listing global access control policy

Open

OPENDJ-390

ConcurrentModificationException during backup all

Open

1 Upgrade to the listed version or later to get the fix.

Limitations

The following limitations are inherent to the design, not bugs to be fixed.

Account lockout

When you configure account lockout as part of password policy, DS servers lock an account after the specified number of consecutive authentication failures.

Account lockout is not transactional across all replicas in a deployment. Global account lockout occurs as soon as the authentication failure times have been replicated.

HDAP

  • When patching a json syntax attribute, you cannot patch individual fields of the JSON object. You must change the entire JSON object instead.

    As a workaround, perform an update of the entire object, changing only the desired fields in your copy.

  • For referrals, HDAP returns HTTP 404 Not Found. HDAP does not return the equivalent of LDAP continuation references.

  • HDAP does not support query filters for equality matching (eq) with address fields like postalAddress.

LDAP

  • DS servers provide full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.

  • When the global server property invalid-attribute-syntax-behavior is set to accept or warn, a search on group membership using a value with invalid syntax returns nothing.

Passwords

  • Directory servers store passwords prefixed with the storage scheme in braces, as in {scheme}.

    To prevent users from effectively attempting to choose their own password storage scheme, directory servers do not support passwords that strictly match this format.

    Specifically, directory servers do not support passwords that match {string.*.

    Requests to update userPassword values with such passwords fail with result code 19 (Constraint Violation), and an additional message that passwords may not be provided in pre-encoded form.

  • The Password Policy control (OID: 1.3.6.1.4.1.42.2.27.8.5.1) is supported for add, bind, and modify operations.

    It is not supported for compare, delete, search, and modify DN operations.

Proxy services

  • Configuring a server with both local backends and proxy backends is not supported.

    Access control models for directory servers and proxy servers do not function at the same time in the same server.

  • The policy-based access control handler used in proxy servers:

    • Does not support the Get Effective Rights control.

    • Does not check the modify-acl privilege when global access control policies are changed.

      The config-write privilege is sufficient to change global access control policies.

    • Does not send alert notifications when global access control policies change.

  • When using ACIs or collective attributes with the proxy server data distribution feature, the ACI and entries having collective attribute values must be located at or above the partition-base-dn. When changing this data, make the change behind the proxy to one directory server replica in each shard. Your changes are not replicated outside the shard.

    The proxy server data distribution feature does not currently support the following:

    • Importing distributed data with the import-ldif command.

    • Changes to the number of partitions after data has been deployed.

    • Modify DN operations to distributed entries.

    • Updates to entries at or above the partition-base-dn.

    • Virtual static groups.

    • Data distribution does not support these virtual attributes:

      member
      uniqueMember

      The isMemberOf virtual attribute works as expected as long as you replicate the group entries on every shard.

    • Data distribution does not support these LDAP controls:

      Server-Side Sort controls

      1.2.840.113556.1.4.473
      1.2.840.113556.1.4.474

      Simple Paged Results control

      1.2.840.113556.1.4.319

      Virtual List View controls

      2.16.840.1.113730.3.4.9
      2.16.840.1.113730.3.4.10

Replication

  • The dsrepl status command cannot read status information from DS 6.5 and earlier servers.

    During upgrade, use the dsreplication status command for 6.5 and earlier servers, and the dsrepl status command for 7.0 and later servers.

  • Pre-7.0 DS servers cannot create a new symmetric key in mixed version topologies.

    When a DS 6.5 or earlier server generates a new symmetric key, it displays an error, such as the following:

    Cannot encode entry for writing on storage:
 CryptoManager failed to encode symmetric key attribute value:
  InvalidKeyException(Wrong key usage) base dn : dc=com

    To work around this limitation, upgrade the pre-7.0 DS servers and use the new security model.

REST to LDAP

  • REST to LDAP on a DS proxy server does not support authentication as a remote user.

    Access REST to LDAP through the gateway or directly on a DS directory server.

  • REST to LDAP does not support modify RDN operations.

  • REST to LDAP query filters do not work with properties of subtypes.

    For example, the default example configuration describes a user type, and a POSIX user type. If your query filter is based on a POSIX user type property that is not a property of the user type, such as loginShell or gidNumber, the filter always evaluates to false, and the query returns nothing.

  • When applying a Common REST patch operation to a Json syntax attribute, you cannot patch individual fields of the JSON object. You must change the entire JSON object instead.

    As a workaround, perform an update of the entire object, changing only the desired fields in your copy.

Windows

Due to a Java issue on Windows systems (JDK-8057894), when configuring DS servers with data confidentiality enabled, DS might display an error message containing the following text:

Unexpected CryptoAPI failure generating seed

If this happens, try running the command again.

Interface stability

Interfaces labeled as Evolving and Technology Preview in the documentation may change without warning. In addition, the following rules apply:

  • All Java APIs are Evolving, except com.* packages, which are Internal/Undocumented.

  • The class org.forgerock.opendj.ldap.CoreMessages is Internal.

  • Text in log messages is Internal. Log message IDs are Evolving.

  • The default content of cn=schema (LDAP schema) is Evolving.

  • The interfaces of the backendstat and changelogstat commands are Evolving.

  • Interfaces that aren’t described in released product documentation are Internal/Undocumented.

    For example, the LDIF representation of the server configuration, config.ldif, is Internal.

  • Also refer to Deprecated and Removed.

Product release levels

Ping Identity defines Major, Minor, Maintenance, and Patch product release levels. The version number reflects release level. The release level tells you what sort of compatibility changes to expect.

Release level definitions
Release Label Version Numbers Characteristics

Major

Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes.

  • Can include changes even to Stable interfaces.

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated.

  • Include changes present in previous Minor and Maintenance releases.

Minor

Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes.

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces.

  • Can remove previously Deprecated functionality.

  • Include changes present in previous Minor and Maintenance releases.

Maintenance, Patch

Version: x.y.z[.p]

The optional p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release.

Product stability labels

Ping Identity Platform software supports many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.

Ping Identity acknowledges that you invest in these features and interfaces, and therefore must know when and how Ping Identity expects them to change. For that reason, Ping Identity defines stability labels and uses these definitions in Ping Identity Platform products.

Stability label definitions
Stability Label Definition

Stable

This documented feature or interface is expected to undergo backwards-compatible changes only for major releases.

Changes may be announced at least one minor release before they take effect.

Evolving

This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.

Legacy

This feature or interface has been replaced with an improved version, and is no longer receiving development effort from Ping Identity.

You should migrate to the newer version, however the existing functionality will remain.

Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product.

Deprecated

This feature or interface is deprecated, and likely to be removed in a future release.

For previously stable features or interfaces, the change was likely announced in a previous release.

Deprecated features or interfaces will be removed from Ping Identity products.

Removed

This feature or interface was deprecated in a previous release, and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete, and the function as implemented is subject to change without notice.

DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment, and are welcome to make comments and suggestions about the features in the associated forums.

Ping Identity does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of Ping Identity Platform.

Technology previews are provided on an “AS-IS” basis for evaluation purposes only, and Ping Identity accepts no liability or obligations for the use thereof.

Internal/Undocumented

Internal and undocumented features or interfaces can change without notice.

If you depend on one of these features or interfaces, contact support to discuss your needs.

Getting support

Ping Identity provides support services, professional services, training, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.pingidentity.com.

Ping Identity has staff members around the globe who support our international customers and partners. For details on Ping Identity’s support offering, visit https://www.pingidentity.com/support.

Ping Identity publishes comprehensive documentation online:

  • The Ping Identity Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage Ping Identity Platform software.

    While many articles are visible to everyone, Ping Identity customers have access to much more, including advanced information for customers using Ping Identity Platform software in a mission-critical capacity.

  • Ping Identity product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

Security advisories

Ping Identity issues security advisories in collaboration with our customers to address any security vulnerabilities transparently and rapidly.

Ping Identity’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

You can find security advisories in the Ping Identity Knowledge Base.

Release timeline

Release date DS version Release type(1)

2024-10-16

7.4.3

Maintenance

2024-08-14

7.5.1

Maintenance

2024-06-26

7.1.8

Maintenance

2024-05-29

7.2.5

Maintenance

2024-05-15

7.3.5

Maintenance

2024-04-30

7.4.2

Maintenance

2024-04-02

7.5.0

Minor

2024-01-18

7.4.1

Maintenance

2024-01-17

7.3.4

Maintenance

2023-12-14

7.2.4

Maintenance

2023-11-15

7.1.7

Maintenance

2023-10-09

7.4.0

Minor

2023-09-11

7.3.3

Maintenance

2023-08-28

7.2.3

Maintenance

2023-07-27

7.1.6

Maintenance

2023-06-29

7.3.2

Maintenance

2023-06-09

7.3.1

Maintenance

2023-05-25

7.1.5

Maintenance

2023-04-27

7.2.2

Maintenance

2023-04-04

7.3.0

Minor

2023-01-26

7.2.1

Maintenance

2022-10-11

7.1.4

Maintenance

2022-09-09

7.1.3

Maintenance

2022-08-03

6.5.6

Maintenance

2022-06-30

7.2.0

Minor

2022-02-28

7.1.2

Maintenance

2021-09-28

7.1.1

Maintenance

2021-08-16

6.5.5

Maintenance

2021-05-12

7.1.0

Minor

2021-03-29

7.0.2

Maintenance

2020-12-10

7.0.1

Maintenance

2020-09-23

6.5.4

Maintenance

2020-08-10

7.0.0

Major

2020-04-03

5.5.3

Maintenance

2020-02-27

6.5.3

Maintenance

2019-06-20

6.5.2

Maintenance

2019-04-10

6.5.1

Maintenance

2018-11-28

6.5.0

Minor

2018-10-01

5.5.2

Maintenance

2018-07-19

5.5.1

Maintenance

2018-05-04

6.0.0

Major

2017-10-18

5.5.0

Minor

(1) For details about the scope of expected changes for different release types, refer to Interface stability.