The following issues have been resolved with this release of the PingDirectory Server:
Added the 'listKeysExceedingIndexEntryLimit' argument to the verify-index tool, which enables listing the keys for indexes that have exceeded their index entry limits.
Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired).
Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.
Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration.
Updated the Configuration API output where properties and their values are listed to include those that are undefined.
The setup tool has been updated to use HTTPS when configuring the HTTP Connection Handler(s). Unsecure HTTP can be enabled post-setup, or by using non-interactive setup.
Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it.
Updated the local DB backend so that changes to the db-checkpointer-wakeup-interval property no longer require a restart to take effect, and to expose new monitor attributes with useful information about the processing performed by the database cleaner.
Addressed cases where some messages may be suppressed in logs and alerts.
Changed the default password policy behavior to prevent users from changing their passwords to their current password value. This logic will apply regardless of password history settings.
Added a configuration option to enable a wait period before removing a 'server unavailable' alert after a garbage collection task is performed. This allows sub-systems like replication to restart before the server becomes available again. For the Periodic GC Plugin, this option is 'delay-post-gc.' For a Forced GC Task entry, the attribute is named 'ds-task-delay-post-gc.' Both options take a value in milliseconds, and have a default value equivalent to 20 seconds.
Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised.
Fixed an issue that generated the following error message, but did not impact the current operation: "An unexpected error occurred while notifying a change notification listener of a modify operation: RuntimeException: The specified condition must be true. The error occurred at com.unboundid.directory.server.types.AuthenticationInfo.replaceUserEntries."
The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state.
Updated the notification destination cn=monitor entry (objectclass of ds-notification-destination-monitor-entry) to include an attribute, ds-notification-age-of-next-pending-change-seconds, which tracks how out-of-date the destination is in seconds. Values are only maintained on the master server for that domain (ds-notification-master=true). A value of 0 on the master server for that domain indicates that the destination is up-to-date. This attribute can be used in a gauge to generate alarms if a destination gets too far behind.