What's new in the PingDirectory 10.0 suite of products?
- PingDirectory
-
- Historically, LDAP servers favor data integrity over resiliency. However, given the growth in customer topologies, there is a strong requirement for maintaining production server uptimes to meet customer expectations. In this environment, servers can be removed from the topology frequently, and if the server is down longer than the configured replication purge delay, problems could arise once the server is brought back online. In this release, a new feature allows you to configure the level of availability when encountering this issue during topology management.
- Static groups, which are the simplest and most commonly used
type of group, explicitly list the DNs of group members.
Server performance when adding or removing members from a
static group depends partially on the group size itself, but
we have identified a number of further inefficiencies in how
the server handles static group membership changes. This
release includes changes to improve performance when
updating static groups.
This release also introduces a new group type: inverted static groups. As with traditional static groups, inverted static group membership is explicitly defined rather than automatically determined. However, instead of storing the entire list of members in the group entry, each user entry lists the set of inverted static groups in which that user is a member. Inverted static groups with a large number of members can be more efficient to maintain than traditional static groups, because the change needed to add or remove a user only requires updating the user entry, which is not affected by the number of members in the group. The server also provides an optional plugin that allows an inverted static group to be updated as if it were a traditional static group, intercepting attempts to alter the membership attribute in the group entry itself and making the corresponding changes in user entries instead.
- PingDirectory allows clients
to interact with the server using a REST API over HTTP as an
alternative to LDAP. Recent updates to the Directory REST
API, including the addition of support for controls and
select extended operations, have improved feature parity
between the REST-based and LDAP-based interfaces, creating a
more robust experience for developers using the REST API.
While it is possible to authorize individual requests using either HTTP basic authentication (using the DN and password of the target user) or with an OAuth 2 access token obtained through another service, the Directory REST API didn’t provide a fine-grained way of verifying user credentials. This release introduces a new
authenticate
endpoint, which provides a way for Directory REST API clients to verify user credentials. This enables you to better differentiate authentication failures from authorization failures, and to obtain an access token to use in authorizing subsequent requests as a specific user. Users can be identified with either a DN or a username, and the credentials may include a static password on its own or in conjunction with a delivered one-time password, a time-based one-time password, or a one-time password generated by a YubiKey device. - PingDirectory has always
offered support for defining deprecated password storage
schemes. If a user successfully authenticates and provides
the server their clear-text password, and if their password
is currently encoded with an undesirable scheme, the server
can automatically re-encode their password using a more
desirable scheme. This release expands on this functionality
by making it possible to re-encode passwords if the
configuration of the underlying scheme has changed in a way
that affects the scheme’s stored representation.
For example, if a user’s password is encoded using the PBKDF2 scheme, the server can now automatically re-encode the password if their stored password uses a digest algorithm, iteration count, salt length, or derived key length that doesn’t match the current configuration of that scheme. PingDirectory has also long supported the Pwned Passwords service, rejecting attempts to set passwords that are known to have been compromised. In the past, interaction with the Pwned Passwords service used a hard-coded timeout of 30 seconds in case the service became unreachable or unresponsive. You can now customize that timeout.
- PingDirectory uses the Berkeley DB Java Edition to store its data, and this database library offers support for caching some or all of the data in memory for faster access. PingDirectory also allows administrators to configure separate backends to hold different portions of the DIT. Previously, the server maintained a separate database cache for each backend, requiring the administrator to adjust the percentage of the JVM’s memory that each backend is allowed to consume. This release now enables you to share a common database cache across all backends. Although this capability is disabled by default, it can simplify the server configuration by only requiring administrators to specify the total percentage of JVM memory to use for caching, without needing to configure caching separately for each backend.
- Amazon’s Simple Storage Service (S3) is a popular
cloud-based data storage service that can be used as a
convenient off-site backup mechanism. In the past, some
PingDirectory server
administrators have chosen to manually copy certain types of
files (for example, LDIF exports or rotated log files) to an
S3 bucket as an additional layer of safety in their disaster
recovery strategy. This release introduces direct support
for using the S3 service as a way of backing up LDIF exports
and log files.
This release offers support for post-LDIF-export task processors. This enables you to automatically perform additional processing after successfully completing an LDIF export, including exports created as part of a recurring task. We have included an implementation that can copy the resulting export file to a specified S3 bucket for safekeeping, and it can automatically remove older export files from that bucket based on the number or age of files in that bucket. It is also possible to use the Server SDK to develop custom post-LDIF-export task processor implementations to perform other kinds of processing after an export completes.
This release offers a new log file rotation listener that can automatically copy log files to a specified S3 bucket as soon as they have been rotated out of place. This support is available for most types of log files that the server can generate, and it also supports automatic retention based on the number or age of the files in the bucket. The server now includes a new
amazon-s3-client
command-line tool that can be used to manually interact with the S3 service. This tool can be used to manually manage buckets and files contained in the S3 service, including uploading files to or downloading files from a specified bucket. - This release includes changes to dramatically improve performance when creating a backup, restoring a backup, or performing online replica initialization.
Fixed a security issue
Added an amazon-s3-client
command-line
tool
amazon-s3-client
command-line tool
that can be used to interact with the Amazon AWS Simple Storage Service (S3)
service. This tool enables you to list, create, and delete buckets, as well as
list, upload, download, and delete files in a specified bucket. This may be
useful in deployments where the server is configured to automatically copy
rotated log files or exported LDIF files to the S3 service.Added a request control to Directory REST API
Added a new /authenticate
endpoint to
the Directory REST API
password
passwordPlusTOTP
passwordPlusDeliveredOTP
passwordPlusYubiKeyOTP
For more information on the /authenticate
endpoint, see
Managing the Directory REST API.
Added five new Directory REST API endpoints to support the
/authenticate
endpoint
/authenticate
endpoint. These endpoints enable users to
interact with supporting services that facilitate the creation, delivery, and
revocation of one-time passwords (OTP) and time-based one-time passwords (TOTP),
which are required to perform authentication operations with the API. These
endpoints include:/directory/v1/{dn}/generateTOTPSharedSecret
/directory/v1/{dn}/revokeTOTPSharedSecret
/directory/v1/deliverOneTimePassword
/directory/v1/{dn}/registerYubiKeyOTPDevice
/directory/v1/{dn}/derigesterYubiKeyOTPDevice
For more information on these endpoints, see Managing the Directory REST API.
Added support for the 2b password storage variant
Added support for post-LDIF-export task processors
These processors include an Upload to S3 processor, which can be used to upload the resulting LDIF file to a specified Amazon S3 bucket. You can also use the Server SDK to create custom post-LDIF-export task processors. For more information, see Performing post-LDIF-export task processing.
Added support for inverted static groups
Although it is not enabled by default, the server also provides a new plugin that makes it possible for clients to interact with inverted static groups in much the same way as they interact with traditional static groups. The plugin will intercept attempts to add or remove member DNs in the group entry itself and will instead cause the corresponding changes to be applied in the member entries. It also provides limited support for interacting with group members in the group entry for search and compare operations as if the member DNs actually existed in the group entries. For more information, see Using inverted static groups.
Added a split-ldif
tool
split-ldif
tool that can be used to split
an LDIF file into multiple segments, with each having a subset of the entries
below a specified base DN, and entries at or above that base DN will be included
in all sets. This is primarily intended for splitting a large data set for use
in entry balancing, and it offers several algorithms for dividing the entries
between segments.Added a new HTTP Connection configuration property
Added a new configuration property for replication servers
include-all-remote-servers-state-in-monitor-message
configuration property to control whether replication monitor messages include
information about remote servers. By default, the property is set to
true
so that information about remote servers is sent.
Setting the property to false
may be helpful in large
topologies because the size of monitor messages scales with the number of
servers.Added a new log file rotation listener
Added the ability to share a single database cache
use-shared-database-cache-across-all-local-db-backends
: Indicates whether to use a shared database cache. If this property is set to true, then all local DB backends will use a shared database cache, and you must set the property to specify the size of that shared cache. If the property is set to false (the default value), then each local DB backend will maintain its own independent database cache with a size specified by thedb-cache-percent property
configuration property for that backend.shared-local-db-backend-database-cache-percent
: Specifies the percentage of the total JVM heap size that will be used for the shared database cache. This property will only be used if theuse-shared-database-cache-across-all-local-db-backends
property is set to true, in which case the server will ignore thedb-cache-percent property
in the backend configuration.
If a shared database cache is enabled, the server will expose a
Shared Local DB Backend Database Cache
monitor entry
with information about that shared cache, including how much of the cache is
consumed by each of the backends.
Added the
re-encode-passwords-on-scheme-config-change
property to
password policy configuration
re-encode-passwords-on-scheme-config-change
property to the
password policy configuration to indicate if the server should automatically
re-encode passwords that are encoded with settings that don't match the scheme's
current configuration. If a user authenticates with a mechanism that provides
their password unencoded, and if the password stored in their entry is encoded
with settings that don't match the current configuration for the associated
password storage scheme, then the server now automatically re-encodes their
password with the default password storage scheme(s) using the current settings.
The following password storage schemes support this functionality:
AES256
, ARGON2
, ARGON2D
,
ARGON2I
, ARGON2ID
,
BCRYPT
, PBKDF2
, SCRYPT
,
SSHA
, SSHA256
, SSHA384
,
and SSHA512
.You can also implement this capability for custom password storage schemes developed with the Server SDK.
The
ds-pwp-state-json
virtual attribute provider has also
been updated with a new
has-password-encoded-with-non-current-settings
field
whose value indicates if the user's password is encoded with settings that
don't match the current configuration, and a new
non-current-password-storage-scheme-settings-explanations
field that can provide additional details on how the password encoding
differs from the current configuration.
Added new arguments to the encrypt-file tool
--re-encrypt
argument to the
encrypt-file tool to read the contents of an existing
encrypted file and re-encrypt it with a different encryption settings definition
or user-supplied passphrase. If the file is currently encrypted with a
user-supplied passphrase, then the
--prompt-for-current-passphrase
or
--current-passphrase-file
argument should be used to supply
the current encryption passphrase. If the file is currently encrypted with an
encryption settings definition, then that definition will automatically be
obtained from the encryption settings database.Added a
--find-encrypted-files
argument to the
encrypt-file tool to identify encrypted files in a
specified location on the filesystem. By default, the tool will search for
files that are encrypted with any encryption settings definition or a
user-supplied passphrase, but it can be used in conjunction with the
--encryption-settings-id
argument to only identify
files that are encrypted with the specified definition.
These new arguments can be useful when migrating away from a former encryption settings definition, particularly if the former definition will eventually be removed from the encryption settings database. If a definition is removed from the encryption settings database, any files encrypted with that definition will no longer be accessible.
Added the
replication-missing-changes-policy
configuration
property
replication-missing-changes-policy
configuration property for both replication servers and replication domains to
control how replication handles missing changes. This property can be used to
avoid missing changes lockdown in cases where such lockdown is not beneficial to
the server.When the missing changes policy is modified, connections are restarted so that the missing changes state can be reevaluated. Lockdown mode is not cleared, but may be cleared by running the leave-lockdown-mode tool.
Added support for an access log field request control
Added support for a generate access
token
request control
generate access token
request
control that can be included in a bind request to indicate that the server
should generate and return an access token in the bind response. That access
token may be used in conjunction with the OAUTHBEARER SASL mechanism to
authorize subsequent connections by that client. This can be useful in cases
where the initial authentication should be performed in a manner that involves
single-use credentials like a time-based one time password, a delivered one-time
password, or a one-time password generated by a YubiKey device, but the client
wishes to establish multiple connections in which the initial credentials cannot
be replayed.Upgraded Jetty
Removed support for Java 8
Removed support for two dsreplication subcommands
Removed the PingDataMetrics Server
To monitor and provide statistics for your PingDirectory suite of products, see Monitoring PingDirectory metrics with Splunk and Monitoring server metrics with Prometheus.
Improved communication with external HTTP services
Updated zip compression process
java.util.zip
will now be used instead of
com.jcraft.jzlib
for zip compression.Improved how the replication generation ID is calculated
Improved password security when using the Directory REST API
Improved server upgrade times
Improved memory handling for export-ldif and backup tools
Updated the backup tool to include a compression warning
--compress
flag on an encrypted backend.Updated dsreplication tool to avoid overwrites
Improved performance for backup, restore, and online replica initialization
Improved performance of static group updates
Updated the handling of extraneous data when syncing with Active Directory
end-of-changelog
, extraneous data is no longer sent from
the Active Directory server to the Sync server. With this update, setting the
startpoint should be faster, particularly for slow networks.Fixed an issue when initializing subhandlers on startup
NullPointerException
.Fixed a logging issue when using proxied authorization
Fixed a duplication issue when running dsjavaproperties --initialize
common.java-args
in the
java.properties file.Fixed an issue with error logging
Fixed an issue with running manage-profile generate-profile on an upgraded instance
Fixed an issue with password validation
Fixed an issue that prevented use of the Changelog Password Encryption plugin in replicated environments
Fixed issues with rootDSE search
Fixed an incorrect help text suggestion when running dsreplication initialize
--force
flag if unable to connect to the server properly
when running dsreplication initialize.Fixed issues with password history
Fixed an issue that could cause the server to add two copies of the current password into the password history when setting a new password with the password modify extended operation. This did not affect password changes with a regular LDAP modify operation.
Fixed an issue where the server could incorrectly allow a user to set an empty password in cases where none of the configured password validators would have rejected an empty password.
Fixed the server's handling of compact values for
the ds-cfg-allow-pre-encoded-passwords
attribute
allow-pre-encoded-passwords
property in the password policy configuration. This issue only affects password
policies stored outside of the server configuration in local DB backends, and
only those policies that include the
ds-cfg-allow-pre-encoded-passwords
attribute.This fix
enables the server to recognize and properly interpret compacted values for
the ds-cfg-allow-pre-encoded-passwords
attribute when
parsing a password policy definition contained in a local DB backend. When
the password policy entry is retrieved, the attribute may still appear to
have a corrupt value, as the value that is actually stored in the entry
would still represent the compacted token rather than the logically
equivalent Boolean value. Replacing the value of the
ds-cfg-allow-pre-encoded-passwords
attribute in
affected entries with the appropriate value is the best way to address this
issue.
Fixed an issue with replace modifications for attributes
Fixed an issue that could prevent replace modifications for attribute types with subordinate types from being properly applied.
Fixed the server's handling of SCIM patch operations including empty arrays
Fixed the server's handling of search operations
Fixed an issue with encryption settings initialization
Fixed an issue with expensive operation logging
Fixed an issue with LDAP Connection Handler objects
request-handler-per-connection
configuration property for
LDAP Connection Handler objects resulted in a single request handler being
unable to acknowledge incoming client requests for long-running TLS
negotiations.Fixed the check-replication-domains tool requirements
--serverRoot
argument is no longer required, and it
defaults to the server's root directory.Fixed a missing changes error when performing replication
NullPointerException
replication
error that occurred when missing changes were found for a replica, but that
replica did not exist on all servers.Fixed an issue with account lockout
Fixed the server's handling of alerts or alarms without configuration
NullPointerException
error where an alert
or alarm was raised and one or more of the alert handlers was not configured.
This most commonly happened when the server was being
stopped.Fixed the formatting of Generic JDC sync pipe destination attributes
Fixed an issue with syncing to Active Directory
unicodePwd
attribute.Fixed an issue with synchronizing the
enabled
attribute in a PingOne destination
enabled
attribute of a user in a PingOne
destination. This issue only occurred when attempting to enable or disable a
user in PingOne from the source
server.To create an attribute mapping that will modify the enablement
status of a user in PingOne, use the
dsconfig tool to create a constructed attribute
mapping of the following form. This will ensure that the
enabled
attribute will always have a well-defined
value, even if the source attribute is not present on an entry in the source
server.
dsconfig create-attribute-mapping --type constructed --map-name mapName --mapping-name enabled --set conditional-value-pattern:'(sourceAttribute=*) : {sourceAttribute}' --set conditional-value-pattern:'(!(sourceAttribute=*)) : true'
Fixed an issue with the manage-topology add-server command
NullPointerException
would
be thrown when adding a sync server to a topology of two or more existing sync
servers using manage-topology add-server.