Fixed a PingDirectoryProxy authentication issue
Added presence component support for composite index filter patterns
Added static equality support for composite index filter patterns
Added approximate matching support for composite index filter patterns
Added support for localized matching in searches
Added a repair tool for broken trust in replicated topologies
This tool is not an alternative to using the replace-certificates tool when changing listener certificates normally and can only be used to address issues that arise from unsuccessful certificate updates in the topology registry.
Added the ability to compare LDAP schemas between servers
Added a configurable limit for subtree modification
subtree-modify-dn-size-limit
configuration property for local DB backends. By default, the server now rejects
modify DN operations in which the target entry has more than 100 subordinate
entries, which can help protect against inadvertent and potentially expensive
subtree moves or renames.With this property, subtree modify DN operations can be completely disabled, limited to subtrees of a specified maximum size, or allowed for subtrees of any size.
Added client connection info in request-type access logging
include-connection-details-in-request-messages
property to
allow you to add details about client connections in request-type access log
messages. The property is disabled by default. Learn more about Adding connection information to request-type log messages.Added the ability to exclude error log messages
Added boolean attribute support for Prometheus metrics
true
, false
, enabled
,
disabled
, yes
, no
,
on
, off
, 1
, or
0
. The server sends a gauge metric to Prometheus with a
value of 1
or 0
to represent these values.
Learn more about Customizing published metrics.Added obfuscation for sensitive Kafka values
sensitive-kafka-producer-property
configuration object to enable you to obscure sensitive producer property
values, such as keys or passwords. Learn more about Obscuring sensitive producer property values.Added support for PKCS11 key wrapping transformations
key-wrapping-transformation
property for PingDirectory PKCS11 cipher stream
providers.Added a password verification extended operation
Added support for synchronizing account lock statuses from PingOne
Enabled candidate set caching to improve indexed search performance
Learn more about optimizing paged searches using caching.
Reduced the performance impact of exploded index cleanup processing
Previously, performance of other write operations had been substantially degraded while the cleanup was in progress and, under certain circumstances, could have caused the server to appear unresponsive. Now, the background cleanup processing might take significantly longer but has much less impact on other operations while that cleanup is in progress.
Increased the speed of search results
Increased the server startup speed
Increased throughput in backend DB environments
Improved performance for servers with large configuration archives
Improved server guidance around attribute and composite indexes
Reduced memory pressure for dynamic group caching
Enabled data imports to ignore duplicate attribute values
--ignoreDuplicateAttributeValues
argument. By default, the
tool rejects any entries that contain duplicate values within the same
attribute, but this new argument causes it to behave as if each value had only
been provided once.Enhanced the configurability of ACI rights for adding entries
evaluate-target-attribute-rights-for-add-operations
configuration property to the access control handler to correct a behavior where
the bind user required an allow add
ACI for only one attribute
of an entry to add the entry.With this property enabled, the bind user must
have an allow add
ACI for all attributes of an entry to add
the entry. To avoid changing existing functionality,
evaluate-target-attribute-rights-for-add-operations
is
disabled by default. Learn more about Changing the allow add ACI behavior for entries.
Increased replication speed
Made schema replication more efficient
replicationChanges
backend.Improved obsolete replica logic
Increased the efficiency of replication backlog health checks
Reduced the size of replication monitor messages
include-all-remote-servers-state-in-monitor-message
global
configuration property is now set to false by default. Servers no longer include
information about other remote servers in their monitor messages, but each
server describes itself with its own monitor message.Reduced the retrieval time for the percentage of undeletable files
Expanded the controls for export-reversible-passwords
Made it easier to upgrade the Password Sync Agent
Enhanced debug support for CLI tools
--help-debug
argument to see the relevant
arguments.Added a timeout for long-running exec alert commands
command-timeout
attribute controls the time limit
and has a default value of 1 hour. To disable this timeout, you can change the
command-timeout
value to 0 s. Learn
more about Changing the timeout for an exec alert handler.Enabled expensive operations access logging by default
Added cipher re-initialization logic for performance improvement
always-reinitialize-cached-cipher-instances
configuration
property to specify whether ciphers retrieved from an internal cache should
always be re-initialized using Cipher.init()
before re-use, or
whether re-initialization can be skipped if the cipher has not been used to
encrypt or decrypt data since a previous call to Cipher.init()
or Cipher.doFinal()
.This new property defaults to
true
, unless the server is running in FIPS
140-2-compliant mode. Skipping unnecessary re-initialization of cached
ciphers results in greatly improved performance for implementations such as
BCFIPS AES/CBC/PKCs5Padding.
Fixed an issue with inconsistency in paged search results
Fixed an encoding issue with UTF-8 in URI search filters
Fixed an issue with syncing modified PingOne attributes
modified-attributes-only
resulted in
changed attributes not being properly synced over.Fixed an issue with VLV indexes and extensible match filters
jsonObjectFilterExtensibleMatch
or
relativeTimeExtensibleMatch
matching
rules.Fixed an issue with inconsistent
entryUUID
values across servers
entryUUID
values for the same entry on
different servers.Fixed an issue with attribute value duplication
Fixed a replication issue with an Invalid host error
Fixed a configuration change issue when replacing profiles
Fixed an issue with an encryption alarm
INDETERMINATE
and showed an alarm, even when the JVM
supported strong encryption. Also changed the name of this gauge to Strong
Encryption Available to avoid confusion in the event of an alarm being
raised.