Known Issues/Workarounds

The following are known issues in the current version of the PingDirectoryProxy Server

  • When deploying a .war file through the Web Application HTTP Servlet Extension, dependencies bundled in the file may conflict with the server's own dependencies if the server version differs from the version in the .war file. This may cause the Web Application HTTP Servlet Extension or the server itself to not start correctly. For reference, all server dependencies are available in <server root>/lib.

Resolved Issues

The following issues have been resolved with this release of the PingDirectoryProxy Server:

Ticket ID Description

The collect-support-data tool now has the option to collect logging information within a specified time range via the '--timeRange' argument.


Updated interactive dsconfig to include an option to toggle between sorting similar properties together or sorting them alphabetically.


Added a new search-logs tool. Similar to the command line tool 'grep,' this tool searches across log files to extract lines matching the provided pattern(s). The search-logs tool can handle multi-line log messages, extract log messages within a given time range, and include rotated log files.


Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired).


The setup and initial configuration tools now support offline modes that can be used to bootstrap the server configuration while it is not running. Also, files generated by theses tools are now saved to the server's resource directory.


Added the ability to configure the Globally-Unique Attribute and Unique Attribute plugins with a filter to limit attribute uniqueness checking to a subset of matching entries.


Reduced the memory overhead of debug logging in high throughput environments by sharing logging buffers across multiple threads.


Custom HTTP loggers are no longer permitted to modify the requests and responsesbeing logged. Calling a forbidden method will result in a subclass of UnsupportedOperationException. For requests, the forbidden methods are authenticate, getReader, login, logout and setCharacterEncoding. For responses, the forbidden methods are addCookie, addHeader, addIntHeader, flushBuffer, getOutputStream, getWriter, reset, sendError, sendRedirect, setBufferSize, setCharacterEncoding, setContentLength, setContentType, setHeader, setIntHeader, setLocale and setStatus.


Added support for a "name with entryUUID" request control. If this control is included in an add request, the entry will be added with a distinguished name whose RDN contains only the entryUUID attribute. This offers a number of potential benefits:

  • It can help preserve data privacy by ensuring the entry DN does not include sensitive or personally-identifying information.
  • It can reduce the need for modify DN operations, since entries are not named with user attributes that have the potential to change.
  • It can serve as a convenience for entries in which there is no obvious, guaranteed-unique attribute (or combination of attributes) to use for naming those entries.

Added properties to the task backend for limiting the number of log messages retained in task entries, in order to limit the size of the in-memory representation of those entries. All log messages generated by a task will still be recorded in the server error log, even if they are not all retained in the corresponding entry in the task backend.


Updated the server's JVM arguments to always log garbage collection information to a rotating set of log files stored within logs/jvm/gc.log.N. The file system usage is limited to 300MB. If the server had previously been configured with VERBOSE_GC, then garbage collection logging information will no longer be logged to logs/server.out.


Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.

Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration.


Updated the Configuration API output where properties and their values are listed to include those that are undefined.


Added support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. The syntax requires that each value of this type is a valid JSON object. Two matching rules have also been added for use in conjunction with the JSON object syntax: jsonObjectExactMatch and jsonObjectFilterExtensibleMatch.

The jsonObjectExactMatch equality matching rule is used in evaluating equality filters in search operations, as well as for matching performed against JSON object attributes for add, compare, and modify operations. It determines whether two values are logically-equivalent JSON objects. The field names used in both objects must match exactly (although fields may appear in different orders). The values of each field must have the same data types. String values will be compared in a case-insensitive manner. The order of elements in arrays will be considered significant.

The jsonObjectFilterExtensibleMatch matching rule can perform more powerful matching against JSON objects. The assertion values for these extensible matching filters should be JSON objects that express the constraints for the matching. These JSON object filters are described in detail in the Javadoc documentation (available in the Commercial Edition of the UnboundID LDAP SDK for Java) for the com.unboundid.ldap.sdk.unboundidds.json.JSONObjectFilter class and its subclasses. Although the LDAP SDK can facilitate searches with this matching rule, these searches can be issued through any LDAP client API that supports extensible matching.

Indexing is supported only for the jsonObjectExactMatch matching rule. If possible, non-baseObject searches that use the jsonObjectFilterExtensibleMatch matching rule should be wrapped in an LDAP AND filter that also contains one or more indexed components so that the search can be processed more efficiently.


The setup tool has been updated to use HTTPS for initial configuration. Unsecure HTTP can be enabled post-setup, or by using non-interactive setup.


Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it.


The Configuration API has been updated to support filtering, sorting, and paging for object list operations. See the Administration guide for usage.


Fixed an issue where changes to SMTP External Server configurations did not take effect until after a server restart.


Addressed cases where some messages may be suppressed in logs and alerts.


Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised.


SCIM, through proxy, does not support pagination. Pagination requires the use of VLV and Server Side Sort controls, which are not natively supported by the Identity Proxy Server. The SCIM proxy configuration script incorrectly included these controls in the ACI and supported controls sections. These have now been removed.


Added support for running on Oracle Java 8 and OpenJDK 8 platforms.


Added logging of all HTTP requests disallowed due to CORS. This should make it easier to debug HTTP 403/Forbidden errors.


Fixed an issue where using the RouteToBackendSetRequestControl with an incorrect entry-balancing request processor ID could result in a NullPointerException.


Updated the server to avoid the use of the server-side sort and virtual list view request controls in search requests that span multiple subtree views or multiple entry-balanced backend sets. If the server cannot honor a non-critical server-side sort or virtual list view control, then it will process the search operation as if the control had not been included in the request. If the server cannot honor a critical server-side sort or virtual list view control, then it will return an error result to the client.


Update the Detailed HTTP Operation Log Publisher to log the correct return code (404 NOT FOUND) when a request is not handled by defined endpoints.


The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state.


Added support for three new extended operations for interacting with single-use tokens:

  • The "get supported OTP delivery mechanisms" operation provides information about which one-time password delivery mechanisms are configured in the server, and which of those are available for a specified user.
  • The "deliver single-use token" operation can generate a token value and provide it to a specified user through an out-of-band communication mechanism like email, SMS, or voice call.
  • The "consume single-use token" operation indicates that the user has received a single-use token from the "deliver single-use token" operation, and to consume that token so that it cannot be reused.

Fixed an issue where the Proxy Server returned an incorrect result code when attempting to add an entry that already exists more than one level below an entry balancing base DN. The Proxy Server in some cases would incorrectly return NO_SUCH_OBJECT rather than ENTRY_ALREADY_EXISTS.


Fixed an issue where configuring numeric IPv4 address filtering by connection criteria in a log publisher performed unnecessary reverse host name lookups.


Updated the prepare-* tools to avoid unnecessary confirmation for trust of the prepared server's certificate when the --trustStorePath argument specifies a trust store that establishes trust.


Updated the LDAP connection handler to enable the use of multiple threads for accepting connections and preparing them for use. This improves concurrency for deployments in which the process of accepting a new connection may take some time to complete, possibly because of expensive DNS lookups or invoking time-consuming post-connect plugins).


Improved the server's support for selecting TLS cipher suites. When the server is configured to use a specific set of cipher suites, it will now always validate that all of the configured suites are supported by the JVM. When the server is not configured to use a specific set of cipher suites, it will now customize the set of default suites to prioritize those using strong cryptography (especially those that offer forward secrecy), and exclude suites with known weaknesses.


Added a gauge to monitor the number of available file descriptors. This Available File Descriptors gauge can detect if a server if running out of file descriptors and degrade the server appropriately.


MakeLDIF templates now have the ability to escape special characters curly braces, angle brackets, and square brackets using a backslash. See config/MakeLDIF/examples-of-all-tags.template for further examples.


The following UnboundID product names have changed: - Identity Datastore to Datastore - Identity Proxy to Proxy Server - Identity Data Sync Server to Data Sync Server - Identity Broker to Data Broker


Fixed an issue that would result in long server startup when many locations and load balancing algorithms are defined.


Updated the alert handler configuration to indicate whether the alert handler should be invoked asynchronously in a background thread rather than by the thread that generated the alert. For alerts generated during the course of processing an operation, invoking potentially time-consuming alert handlers in a background thread can avoid adversely impacting the response time for that operation while still ensuring that administrators are made aware of the issue that arose.


Updated the server to provide support for SMTP connection pooling. When sending an email message, the server will attempt to reuse an existing SMTP connection rather than establishing a new connection for each message.


Fixed a rare condition that might cause the logger rotation and retention thread to exit under heavy file system load or a network file system outage.


Fixed a bug where using the advanced arguments of some tools would result in changing the saved complexity settings for the dsconfig tool.


Improved server locking used by dsconfig in offline batch mode, so that the server lock is held for the entire batch duration, instead of for each invocation. Also, reduced the probability of contention for file locks used by server tools to determine the server status.


Updated the installer to increase the maximum suggested JVM size on Linux systems with at least 48 GB of RAM.


Fixed an issue where debug logging at a fine-level could consume large amounts of memory.


Addressed an issue where data definition language (DDL) log field mappings for the JDBC error log were not previously documented.


Updated the prepare-external-server tool to suppress output when run with the --quiet option.


The Proxy Server processing for Third-Party Proxied Extended Operation Handlers has been changed for extended operations containing "Route To Backend Set" request controls. The default behavior is now to process the operation only on backends in the entry-balancing request processors specified in the request controls. The old behavior to process on backends in other request processors too may be obtained through the advanced "route-to-backend-set-behavior" configuration property on the Third-Party Proxied Extended Operation Handler.


Fixed a case where duplicate entry searches performed prior to an ADD operation in an entry-balanced environment may not honor a maximum response timeout.


Fixed a log publisher defect that would result in an unreadable file when both compression and signing were enabled at the same time.


Updated the server to allow an initial heap size over 128 GB. Due to limitations of older JVMs, this was previously capped at 128 GB, even when the maximum heap size was larger.


Updated the create-systemd-script tool by adding resource limits for available open file descriptors (NOFILE), and shared memory reservations (MEMLOCK). The generated script lists the recommended file descriptors limit and the resource limit setting for enabling large page support. The settings in the create-systemd-script output supersedes prior documentation for setting the number of open file descriptors on non-systemd systems.


Updated the server to better utilize worker threads and reduce the potential for a work queue backlog when processing multiple concurrent long-running operations.


Fixed an issue involving transactions sent through a Proxy Server with Entry Balancing configured. If the transaction contained requests that targeted entries that were not in the global index, then duplicate requests were included in the resulting Multi-Update operation forwarded to the Datastore.


Fix an issue in the SCIM interface where an attribute required by the SCIM schema could be deleted by a PATCH operation.


Added the ability to protect Velocity templates using the basic authentication scheme.


Fixed an issue where there could be missing or duplicated changes when synchronizing through a Proxy Server in an entry-balancing configuration. The issue only affected Proxy Server configurations with multiple entry-balancing request processors referencing the same proxying request processor.


The ldifsearch command now supports the option "---isCompressed" for LDIF files that have been compressed with gzip.


Fixed an issue with the collect-support-data tool when using the --pid argument. Only one jstack was being collected, instead of using the amount specified by the --maxJstacks argument.


Improved processing of abandon requests with subordinate operations by avoiding canceling twice and not waiting for internally canceled operations.


Fixed an issue where configuration changes to an external server would not notify all load-balancing algorithms defined for that server.