Resolved Issues

The following issues have been resolved with this release of PingDataSync Server:

Ticket ID Description
DS-811 Added an optional reason parameter for dsconfig changes that are automatically included in the server's config-audit.log file.
DS-1029 The server now monitors important certificates that are used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. When a monitored certificate is 30 days from expiration, an alarm is raised, and alerts are sent.
DS-1045 Constructed attribute mappings now support multivalued source attributes for conditional (conditional-value-pattern property) and non-conditional (value-pattern property) value patterns. Only one of the source attributes that contribute to a given value pattern can be multivalued.

Updated the installer to discourage the use of weak root passwords.

When run in interactive mode, setup displays the following list of quality recommendations before prompting for the initial root password:

  • Make the password at least 12 characters in length.
  • Verify that the password is not contained in the following dictionary types:
    • English words
    • Commonly used passwords

If the proposed password does not meet these constraints, the user is given the option of proceeding with the provided weak password or choosing a different password.

When run in non-interactive mode, setup exits with an error if the proposed initial root password does not satisfy these constraints, unless the command line also includes the --allowWeakRootUserPassword argument.

In either mode, when a strong initial root password is supplied, setup configures a root user's password policy to ensure that subsequent root user passwords are also required to satisfy these constraints.

DS-4161 Updated PingDirectory, PingDirectoryProxy, PingDataSync, and PingDataGovernance Servers with the capability to run as Windows Services.
DS-10016 PingDataSync Server now supports Oracle Unified Directory as an external server and as a sync source.

Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.

Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone viewing the configuration file. Consequently, the value is not displayed in administrative interfaces.

The Server SDK provides a method for obtaining the plaintext representation of an obscured value. This mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear.

DS-10748 Added configuration options for setting the SSL Protocol and the SSL Cipher Suites to the HTTPS Connection Handler.
DS-13721 Corrected the port number that is returned in the error message displayed when an administrator attempts to set up a server that is already running.
DS-14650 Enhanced the HTTPS Connection Handler to send an HTTP Strict Transport Security header by default in all responses.
DS-15051 Sync Destination Server SDK Extensions can now ignore a change by calling the setIgnore() method on the provided sync operation. Ignored changes are not included as applied operations in the statistics that are reported for the Sync Pipe through the Management Console, the bin or status command-line utility, or in a raw form under cn=Sync Pipe Monitor: <pipe-name>,cn=monitor.
DS-15861, DS-15862

Replaced the ldapsearch and ldapmodify tools with new, backward-compatible versions that offer many new features, including the following examples:

  • Improved connection handling
  • Improved output formatting
  • Improved support for bulk operations
  • Support for referrals
  • Support for additional request and response controls
  • Rate limiting

The ldapsearch tool also offers the following abilities:

  • Output results in the following formats as an alternative to LDIF:
    • JSON
    • CSV
    • Tab-delimited text
  • Supports multiple data transformations

Additionally, the ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files.

DS-16405 The SNMP context name for the server can now be configured by using the new context-name property of the SNMP Subagent plugin. When this property is not set, the server instance name remains the default context name .
DS-16423 PingDataSync Server now supports OpenDJ as an external server and as a sync source.
DS-16509 Updated the access and audit loggers so that, when information is logged about an internal operation that an external client request triggered, the log message includes the connection and operation ID for the request. Also updated the error logger so that, when a message is logged from a thread that is actively processing an operation, the log message includes the connection and operation ID for that operation.
DS-16593 Fixed an issue in which incorrect names displayed in the usage for the start scripts.
DS-16603 For Active Directory external servers, the bind-dn property can now be a User Principal Name (UPN).
DS-16789 The script files that stop and start the server have been renamed to stop-server and start-server, respectively. Earlier versions or the scripts are still present.
DS-16858 The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made.
DS-16906 Added a disabled-alert-type configuration property to the Alert backend. This property suppresses specific alert types from being added to the backend.
DS-17019 The server now requires Java version 8.
DS-17078 Updated some cases in which filtered SCIM searches for groups with missing members were not returned.
DS-17080 Improved error reporting for the manage-extensions tool.
DS-17089 PingDataSync Server now supports generic LDAP servers as sync destinations.

Updated the logic that selects which TLS cipher suites to enable by default, and the logic that prioritizes the cipher suites. Also updated the selection process to use the guidelines that the OWASP "Transport Layer Protection Cheat Sheet" document provides.

The following changes are included:

  • The server already preferred cipher suites that support forward secrecy over suites that do not. It now prefers DHE over ECDHE, and avoids suites that use non-RSA keys.
  • The server already avoided cipher suites that used known-weak cryptographic weaknesses, including null encryption, the RC4 symmetric cipher, and the MD5 digest algorithm. It now also avoids anonymous encryption, the single-DES symmetric cipher, the IDEA symmetric cipher, and any suite using export-level encryption.
  • The server now prefers cipher suites that use the Galois/Counter Mode (GCM) over the Cipher Block Chaining (CBC) mode.
  • The server now prefers AES-based cipher suites with 256-bit keys over those that use 128-bit keys. For suites with equivalent key sizes, it prefers suites with a stronger message digest algorithm over suites with a weaker digest algorithm (for example, SHA384 over SHA256 over SHA).
  • The server now provides improved support for selecting and prioritizing ciphers when running on the IBM JVM. The IBM JVM uses a different naming convention for its cipher suites than does the Oracle implementation, which previously allowed certain desirable suites to be excluded from the selected set.
DS-17241 The Administrative Console is no longer compatible with earlier versions of the server.
DS-17318 Removed the default root password from the out-of-the-box configuration to provide additional security. This password was never actually used because it was replaced by the user-supplied password provided when running setup.
DS-17356 Added additional logging for ignored synchronization operations.

Updated the server to reduce the use of the SHA-1 message digest. The server now uses a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:

  • Hashing or signing a backup
  • Signing an LDIF export
  • Signing log data
  • Generating MACs for an encrypted collect-support-data archive
  • Generating unique identifiers for encryption settings definitions
  • Determining whether the configuration changed with the server offline

In all of these cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into earlier versions of the server.

The fingerprint certificate mapper has also been updated to use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.

Additionally, the example enhanced password-storage scheme that the UnboundID Server SDK provides has been updated to use the 256-bit SHA-2 digest instead of a SHA-1 digest.

DS-17531 Fixed an issue that could cause a sync pipe to crash due to missing attributes in the changelog.
DS-17544 The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/, located in the server root.
DS-17545, DS-17546, DS-18008 Enhanced Attribute Mapping in PingDataSync Server to allow users to filter or exclude values from entries in the Sync Destination.
DS-17576 Updated the Server SDK's ServerContext to expose a ValueConstructor, which build String values by using a value-pattern template that references attribute values within an entry. For more information, refer to the Javadoc for the ValueConstructor class that is included with the Server SDK packaging.
DS-17652 Fixed an issue in which attribute matching rules were not applied appropriately during synchronization.
DS-17653 Addressed an issue in which the server would throw a NullPointerException if a implementation did not set a modifier's name in a generated ChangeRecord.
DS-17668 Sync correlation attributes now support correlating using JSON keys within JSON attribute values. A JSON key can be referenced with syntax <attribute-name>>.<JSON-key>>. If a JSON correlation attribute is used but the JSON key does not exist for the source or destination entry, or if the considered source or destination entry does not possess valid JSON data, the destination entry considered entry is not matched.
DS-17688 PingDataSync Server now supports the synchronization of particular fields within JSON attributes. The JSON Attribute configuration object controls the manner in which fields are synchronized, as well as the manner in which source and destination values are correlated.
DS-17689 Sync constructed attribute mappings now support extracting JSON fields within JSON attributes by appending ., and then the JSON field, to extract to the attribute name. For example, if the JSON attribute is ubidEmailJSON and the value field is to be extracted, then ubidEmailJSON.value can be specified for the attribute name, resulting in {ubidEmailJSON.value} or, if a regular expression is used, {ubidEmailJSON.value:/regex/replacement/flags}.

Constructed attribute mappings now support modifiers that alter the value of referenced source attributes when added to the end of source attribute references. For example, if the attribute mail is to be included in a constructed JSON value, the modifier jsonEscape can be specified, resulting in {{"userMail":{mail:jsonEscape} }} or, if a regular expression is used, {{"userMail":{mail:/regex/replacement/flags:jsonEscape} }}.

Note: {{ expands to {, and }}}} expands to '}.

The following modifiers are available:

  • jsonEscape — Escapes text for use in a JSON value.
  • ldapFilterEscape — Escapes text for use in an LDAP filter.
  • lowerCase — Converts text to lowercase.
  • trim — Removes leading and trailing whitespace.
  • upperCase — Converts text to uppercase.
DS-17697 Added additional support to PingDataSync Server for synchronizing Active Directory Groups that contain more than 1,500 members.
DS-17711 PingDataSync Server now logs an error and continues processing if it encounters a corrupted changelog entry. Previously, the server threw an exception continually and stopped processing subsequent changes.
DS-17741 LDAP referral entries are now synchronized as a raw entry rather than trying to follow the referral.
DS-17742 LDAP changelog-based Sync Sources, such as the DSEE Sync Source, no longer fetch source entries when none of the Sync Source's configured base-dn values contains the targetDN in the corresponding changelog entry. This change reduces the load that is placed on the source directory servers.
DS-17936 PingDataSync Server now tries to use the source schema, if available, when the destination schema is unavailable.
DS-17968 Limited the ACI search on the collect support data tool to pull only 100 entries. This change reduces the amount of time the tool requires to run for organizations with a large number of ACIs.
DS-17993 Added additional logging to PingDataSync Server for cases in which attribute mapping fails. The synchronization operation is not halted.
DS-18003 Updated the Server SDK so that HTTPServletExtensions can be installed on PingDataSync Server instances.
DS-18026 Fixed an issue that involved setting the sync connect and response timeouts with incorrect units of time.

A license key is required when setting up a server for the first time.

Important: To request a license, visit the Ping Identity licensing website or contact
DS-18136 Enhanced the LDAP Sync Destination to allow administrators to configure options for synchronizing user passwords with clear-text, in cases where the LDAP Server does not support pre-encoded password synchronization. Setting password-synchronization-format:clear-text on the LDAP Sync Destination now enables the clear-text synchronization of passwords. By default, passwords are synchronized only in the clear over a secure connection. To override this option, set require-secure-connection-for-clear-text-passwords:false on the LDAP Sync Destination.
DS-18169 Fixed an incompatibility between Java and PKCS12 trust stores and keystores that caused an error during PingDataSync Server installations.
DS-18188 Removed the ability to create custom HTTP trace loggers by using the Server SDK.
DS-18199 Updated the default configuration of the File-Based Access Logger (logs/access) so that requests from peer PingDataSync instances are no longer suppressed. This approach simplifies the troubleshooting of connection and health-checking issues between server instances.
DS-35495 Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches that are required to retrieve the full configuration when pre-validating configuration changes.