PingDirectory suite of products 10.1.0.0 (June 2024) - PingDirectory - 10.1

PingDirectory 10.1

bundle
pingdirectory-101
ft:publication_title
PingDirectory 10.1
Product_Version_ce
PingDirectory 10.1 (Latest)
category
Product
pd-101
pingdirectory
ContentType_ce

Fixed a PingDirectoryProxy authentication issue

PingDirectoryProxy
SecurityDS-48028
Fixed an issue that could have allowed clients attempting to authenticate through the PingDirectoryProxy server to obtain more information in the bind response than would have been allowed if the request had been sent directly to a PingDirectory server.

Added presence component support for composite index filter patterns

PingDirectory
NewDS-18120
Added the ability to use presence components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing presence attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern. Learn more about Composite index filter patterns.

Added static equality support for composite index filter patterns

PingDirectory
NewDS-18120
Added the ability to use equality components with static values in composite index filter patterns, which can be useful in cases where you want to index specific attribute values that are present in a large number of entries. The index filter pattern can either be a simple static equality component, an AND filter with multiple static equality components, or an AND filter with static equality components combined with other supported filter pattern components.

Added approximate matching support for composite index filter patterns

PingDirectory
NewDS-48631
Added the ability to use approximate matching components in composite indexes, whether as a standalone filter pattern or in an AND filter pattern. You can now replace existing approximate matching attribute indexes with composite indexes for improved scalability or to limit the scope of index keys by using a base DN pattern.

Added support for localized matching in searches

PingDirectory
NewDS-48630
Added support for several collation matching rules, which allow clients to use extensible match filters to better search for entries with non-English values. Learn more about Localization of searches with collation matching.

Added a repair tool for broken trust in replicated topologies

PingDirectory
NewDS-48752
Added a tool to repair broken listener certificate trust in replicated topologies. To reduce troubleshooting and speed up the repair of broken subtree mirroring in a replicated topology where listener certificates have fallen out of trust, you can use the repair-topology-listener-certificates tool. Learn more about Repairing broken listener certificate trust in replication.
Note:

This tool is not an alternative to using the replace-certificates tool when changing listener certificates normally and can only be used to address issues that arise from unsuccessful certificate updates in the topology registry.

Added the ability to compare LDAP schemas between servers

PingDirectory, PingDirectoryProxy
NewDS-47930
Added the compare-ldap-schemas tool to identify differences between the schemas of two LDAP servers.

Added a configurable limit for subtree modification

PingDirectory
NewDS-47316
Added the subtree-modify-dn-size-limit configuration property for local DB backends. By default, the server now rejects modify DN operations in which the target entry has more than 100 subordinate entries, which can help protect against inadvertent and potentially expensive subtree moves or renames.

With this property, subtree modify DN operations can be completely disabled, limited to subtrees of a specified maximum size, or allowed for subtrees of any size.

Added client connection info in request-type access logging

PingDirectory
NewDS-48614
Added the include-connection-details-in-request-messages property to allow you to add details about client connections in request-type access log messages. The property is disabled by default. Learn more about Adding connection information to request-type log messages.

Added the ability to exclude error log messages

PingDirectory, PingDirectoryProxy, PingDataSync
NewDS-48581
Added the ability to exclude specific error log messages to help simplify server administration. You can configure several criteria to determine which messages to exclude. Learn more about Excluding specific log messages.

Added boolean attribute support for Prometheus metrics

PingDirectory
NewDS-47286
Added support for boolean attributes in Prometheus monitor metrics. These metrics can be used for monitor attributes that have values such as true, false, enabled, disabled, yes, no, on, off, 1, or 0. The server sends a gauge metric to Prometheus with a value of 1 or 0 to represent these values. Learn more about Customizing published metrics.

Added obfuscation for sensitive Kafka values

PingDataSync
NewDS-48216
Added the sensitive-kafka-producer-property configuration object to enable you to obscure sensitive producer property values, such as keys or passwords. Learn more about Obscuring sensitive producer property values.

Added support for PKCS11 key wrapping transformations

PingDirectory
NewDS-48514
For environments that require specific key wrapping transformations, we added the ability to use dsconfig to update the key-wrapping-transformation property for PingDirectory PKCS11 cipher stream providers.

Added a password verification extended operation

PingDirectory, PingDirectoryProxy
NewDS-48662
Added support for an extended operation to verify passwords, which can be used to determine whether a specified password is correct for a given user without performing any other password policy processing. Support for this operation is disabled by default. Learn more about The verify password extended operation.

Added support for synchronizing account lock statuses from PingOne

PingDataSync
ImprovedDS-47933
Increased the consistency of enterprise-wide user statuses by adding support for synchronizing account lock status events from a PingOne source. Learn more about Synchronizing PingOne account status with PingDirectory.

Enabled candidate set caching to improve indexed search performance

PingDirectory
ImprovedDS-48530
Added a configuration property that enables you to cache the candidate set for indexed search requests that include the simple paged results request control. By default, the server recomputes the candidate set for each page of results retrieved from the server. With caching enabled, the server can reuse the same candidate set across all pages without needing to recompute it each time.

Learn more about optimizing paged searches using caching.

Reduced the performance impact of exploded index cleanup processing

PingDirectory
ImprovedDS-48672
Reduced the performance impact of the background cleanup processing that occurs when an exploded index key exceeds the index entry limit.

Previously, performance of other write operations had been substantially degraded while the cleanup was in progress and, under certain circumstances, could have caused the server to appear unresponsive. Now, the background cleanup processing might take significantly longer but has much less impact on other operations while that cleanup is in progress.

Increased the speed of search results

PingDirectory
ImprovedDS-48075
Updated the server to allow it to start returning matching entries more quickly and with reduced memory consumption when processing a search request that can be perfectly satisfied by a single composite index key.

Increased the server startup speed

PingDirectory, PingDirectoryProxy, PingDataSync
ImprovedDS-48869
Changed the default behavior of the interactive setup to not prime the database by preloading its contents.

Increased throughput in backend DB environments

PingDirectory
ImprovedDS-48827
Increased write throughput and significantly reduced response time outliers in backend DB environments.

Improved performance for servers with large configuration archives

PingDirectory, PingDirectoryProxy, PingDataSync
ImprovedDS-48875
Changed the configuration archive to retain a maximum of 100 previous configurations by default to alleviate the performance impact of large archives.

Improved server guidance around attribute and composite indexes

PingDirectory
ImprovedDS-48670, DS-5357
Updated the server to raise an alert or log a warning message when attribute index entry limits are set too high and to recommend the use of composite indexes instead. High index entry limits can lead to performance issues for attribute indexes, and composite indexes offer much better performance and scalability for index keys that match a large number of entries.

Reduced memory pressure for dynamic group caching

PingDirectory
ImprovedDS-44929
Reduced the amount of memory needed to cache information about dynamic groups.

Enabled data imports to ignore duplicate attribute values

PingDirectory
ImprovedDS-48603
Updated the import-ldif tool to add an --ignoreDuplicateAttributeValues argument. By default, the tool rejects any entries that contain duplicate values within the same attribute, but this new argument causes it to behave as if each value had only been provided once.

Enhanced the configurability of ACI rights for adding entries

PingDirectory
ImprovedDS-48516
Added the evaluate-target-attribute-rights-for-add-operations configuration property to the access control handler to correct a behavior where the bind user required an allow add ACI for only one attribute of an entry to add the entry.

With this property enabled, the bind user must have an allow add ACI for all attributes of an entry to add the entry. To avoid changing existing functionality, evaluate-target-attribute-rights-for-add-operations is disabled by default. Learn more about Changing the allow add ACI behavior for entries.

Increased replication speed

PingDirectory
ImprovedDS-48826
Increased throughput for replicated operations.

Made schema replication more efficient

PingDirectory
ImprovedDS-48343
Made schema replication more efficient by not sending, and by not applying, update messages that don't need to be applied. This is done by calculating the generation ID correctly, setting replication operational attributes in the schema backend, and by noting the changes most recently applied in the replicationChanges backend.

Improved obsolete replica logic

PingDirectory
ImprovedDS-48800
Improve obsolete replica logic so that replication more accurately determines if a replica is obsolete.

Increased the efficiency of replication backlog health checks

PingDirectoryProxy
ImprovedDS-48552
Made the server health check for the replication backlog more efficient.

Reduced the size of replication monitor messages

PingDirectory
ImprovedDS-48058
To reduce the size of replication monitor messages, the include-all-remote-servers-state-in-monitor-message global configuration property is now set to false by default. Servers no longer include information about other remote servers in their monitor messages, but each server describes itself with its own monitor message.

Reduced the retrieval time for the percentage of undeletable files

PingDirectory
ImprovedDS-45172
Used caching to speed up the Database Environment monitor entry retrieval of the percentage of undeletable database files.

Expanded the controls for export-reversible-passwords

PingDirectory
ImprovedDS-48022
Updated the export-reversible-passwords tool to allow you to specify base DNs for entries to include in or exclude from the export.

Made it easier to upgrade the Password Sync Agent

PingDataSync
ImprovedDS-17945, DS-48793
Made it easier to install and upgrade the Password Sync Agent by clarifying and expanding the documentation.

Enhanced debug support for CLI tools

PingDirectory, PingDirectoryProxy, PingDataSync
ImprovedDS-48239
Added debug logging support to a number of command-line tools. Use the --help-debug argument to see the relevant arguments.

Added a timeout for long-running exec alert commands

PingDirectory
ImprovedDS-48724
Added a timeout feature that automatically terminates the execution of a long-running command or script initiated by the exec alert handler. The command-timeout attribute controls the time limit and has a default value of 1 hour. To disable this timeout, you can change the command-timeout value to 0 s. Learn more about Changing the timeout for an exec alert handler.

Enabled expensive operations access logging by default

PingDirectory, PingDirectoryProxy, PingDataSync
ImprovedDS-48856
Made a configuration change to have the expensive operations access logger enabled by default. Any operations that take at least one second to complete will be logged to the logs/expensive-ops file.

Added cipher re-initialization logic for performance improvement

PingDirectory
ImprovedDS-48893
Added the always-reinitialize-cached-cipher-instances configuration property to specify whether ciphers retrieved from an internal cache should always be re-initialized using Cipher.init() before re-use, or whether re-initialization can be skipped if the cipher has not been used to encrypt or decrypt data since a previous call to Cipher.init() or Cipher.doFinal().

This new property defaults to true, unless the server is running in FIPS 140-2-compliant mode. Skipping unnecessary re-initialization of cached ciphers results in greatly improved performance for implementations such as BCFIPS AES/CBC/PKCs5Padding.

Fixed an issue with inconsistency in paged search results

PingDirectory, PingDirectoryProxy
FixedDS-46808
Fixed an issue where PingDirectoryProxy could have returned an inconsistent number of entries for paged search requests. Now, to ensure consistency in the returned entries, PingDirectoryProxy sends each paged search request to one server.

Fixed an encoding issue with UTF-8 in URI search filters

PingDirectory, PingDataSync
FixedDS-48300
Fixed an issue where PingDataSync couldn't properly encode certain UTF-8 characters used in a URI search request filter sent to an external server. The server is now able to encode filter values that include any UTF-8 characters.

Fixed an issue with syncing modified PingOne attributes

PingDataSync
FixedDS-48669
Fixed an issue where syncing from a PingOne sync source using an attribute synchronization mode of modified-attributes-only resulted in changed attributes not being properly synced over.

Fixed an issue with VLV indexes and extensible match filters

PingDirectory
FixedDS-48026
Fixed an issue that could have prevented the server from using VLV indexes defined with certain kinds of extensible match filters, including those using the jsonObjectFilterExtensibleMatch or relativeTimeExtensibleMatch matching rules.

Fixed an issue with inconsistent entryUUID values across servers

PingDirectory
FixedDS-48678, DS-48720
Fixed an issue where MODDN operations on replicated PingDirectory servers configured with Groovy-scripted or third-party type password generators or validators could result in inconsistent entryUUID values for the same entry on different servers.

Fixed an issue with attribute value duplication

PingDirectory
FixedDS-48585
Fixed an issue where replace operations that targeted attributes with subordinate types would cause the subordinate attribute values to be duplicated.

Fixed a replication issue with an Invalid host error

PingDirectory
FixedDS-48311
Fixed an issue where disabling replication with a missing hostname sometimes caused dsreplication status to fail with an Invalid host error.

Fixed a configuration change issue when replacing profiles

PingDirectory, PingDirectoryProxy, PingDataSync
FixedDS-45783
Resolved an issue where running the manage-profile replace-profile command could cause dsconfig changes to be made out of order.

Fixed an issue with an encryption alarm

PingDirectory
FixedDS-46533
Fixed an issue where the Strong Encryption Not Available Gauge had a value of INDETERMINATE and showed an alarm, even when the JVM supported strong encryption. Also changed the name of this gauge to Strong Encryption Available to avoid confusion in the event of an alarm being raised.

Fixed an issue with the PSA updating the wrong entries

PingDataSync
FixedDS-48358
Fixed an issue where the PSA could update incorrect entries upon a password change if there were users with the same sAMAccountName in a forest.

Fixed an issue with entry modification in replication

PingDirectory
FixedDS-48491
Fixed an issue that could prevent a modify request from adding real attribute values to a replicated entry that already had one or more virtual values for that attribute.

Fixed an issue with indexing entries while debugging

PingDirectory
FixedDS-48723
Fixed an issue where an untrusted composite index would prevent entries matching that index from being added or modified if a debug log publisher was enabled for the composite index.

Fixed an error message in the Delegated Admin report

PingDirectory, PingDirectoryProxy
FixedDS-48774
Removed a stack trace from the error message returned when generating a Delegated Admin report with an invalid SCIM filter.

Fixed a null pointer exception in replication

PingDirectory
FixedDS-48796
Fixed an NPE error that could occur when running the dsreplication enable command in interactive mode.

Fixed an issue with installing PingDirectory in FIPS mode

PingDirectory
FixedDS-48834
Resolved an issue where installing the PingDirectory server in FIPS-compliant mode would sometimes fail with an error stating that a configuration file entry had the same DN as another entry already read from that file.

Fixed a rare startup error related to replication and sleep values

PingDirectory
FixedDS-48897
Fixed a rare issue where the server could have experienced an IllegalArgumentException on startup due to a negative sleep value when one or more replication servers wasn't online.