Resolved Issues
The following issues have been resolved with this release of PingDataSync Server:
Ticket ID | Description |
---|---|
DS-811 | Added an optional reason parameter for dsconfig changes that are automatically included in the server's config-audit.log file. |
DS-1029 | The server now monitors important certificates that are used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. When a monitored certificate is 30 days from expiration, an alarm is raised, and alerts are sent. |
DS-1045 | Constructed attribute mappings now support multivalued source attributes for conditional (conditional-value-pattern property) and non-conditional (value-pattern property) value patterns. Only one of the source attributes that contribute to a given value pattern can be multivalued. |
DS-2074 | Updated the installer to discourage the use of weak root passwords. When run in interactive mode, setup displays the following list of quality recommendations before prompting for the initial root password:
If the proposed password does not meet these constraints, the user is given the option of proceeding with the provided weak password or choosing a different password. When run in non-interactive mode, setup exits with an error if the proposed initial root password does not satisfy these constraints, unless the command line also includes the --allowWeakRootUserPassword argument. In either mode, when a strong initial root password is supplied, setup configures a root user's password policy to ensure that subsequent root user passwords are also required to satisfy these constraints. |
DS-4161 | Updated PingDirectory, PingDirectoryProxy, PingDataSync, and PingDataGovernance Servers with the capability to run as Windows Services. |
DS-10016 | PingDataSync Server now supports Oracle Unified Directory as an external server and as a sync source. |
DS-10694 | Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration. Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone viewing the configuration file. Consequently, the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value. This mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear. |
DS-10748 | Added configuration options for setting the SSL Protocol and the SSL Cipher Suites to the HTTPS Connection Handler. |
DS-13721 | Corrected the port number that is returned in the error message displayed when an administrator attempts to set up a server that is already running. |
DS-14650 | Enhanced the HTTPS Connection Handler to send an HTTP Strict Transport Security header by default in all responses. |
DS-15051 | Sync Destination Server SDK Extensions can now ignore a change by calling the
setIgnore() method on the provided sync operation. Ignored
changes are not included as applied operations in the statistics that are reported
for the Sync Pipe through the Management Console, the bin or
status command-line utility, or in a raw form under
cn=Sync Pipe Monitor: <pipe-name>,cn=monitor . |
DS-15861, DS-15862 | Replaced the ldapsearch and ldapmodify tools with new, backward-compatible versions that offer many new features, including the following examples:
The ldapsearch tool also offers the following abilities:
Additionally, the ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files. |
DS-16405 | The SNMP context name for the server can now be configured by using the new context-name property of the SNMP Subagent plugin. When this property is not set, the server instance name remains the default context name . |
DS-16423 | PingDataSync Server now supports OpenDJ as an external server and as a sync source. |
DS-16509 | Updated the access and audit loggers so that, when information is logged about an internal operation that an external client request triggered, the log message includes the connection and operation ID for the request. Also updated the error logger so that, when a message is logged from a thread that is actively processing an operation, the log message includes the connection and operation ID for that operation. |
DS-16593 | Fixed an issue in which incorrect names displayed in the usage for the start scripts. |
DS-16603 | For Active Directory external servers, the bind-dn property can now be a User Principal Name (UPN). |
DS-16789 | The script files that stop and start the server have been renamed to stop-server and start-server, respectively. Earlier versions or the scripts are still present. |
DS-16858 | The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made. |
DS-16906 | Added a disabled-alert-type configuration property to the Alert backend. This property suppresses specific alert types from being added to the backend. |
DS-17019 | The server now requires Java version 8. |
DS-17078 | Updated some cases in which filtered SCIM searches for groups with missing members were not returned. |
DS-17080 | Improved error reporting for the manage-extensions tool. |
DS-17089 | PingDataSync Server now supports generic LDAP servers as sync destinations. |
DS-17146 | Updated the logic that selects which TLS cipher suites to enable by default, and the logic that prioritizes the cipher suites. Also updated the selection process to use the guidelines that the OWASP "Transport Layer Protection Cheat Sheet" document provides. The following changes are included:
|
DS-17241 | The Administrative Console is no longer compatible with earlier versions of the server. |
DS-17318 | Removed the default root password from the out-of-the-box configuration to provide additional security. This password was never actually used because it was replaced by the user-supplied password provided when running setup. |
DS-17356 | Added additional logging for ignored synchronization operations. |
DS-17444 | Updated the server to reduce the use of the SHA-1 message digest. The server now uses a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:
In all of these cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into earlier versions of the server. The fingerprint certificate mapper has also been updated to use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported. Additionally, the example enhanced password-storage scheme that the UnboundID Server SDK provides has been updated to use the 256-bit SHA-2 digest instead of a SHA-1 digest. |
DS-17531 | Fixed an issue that could cause a sync pipe to crash due to missing attributes in the changelog. |
DS-17544 | The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/admin-console.zip, located in the server root. |
DS-17545, DS-17546, DS-18008 | Enhanced Attribute Mapping in PingDataSync Server to allow users to filter or exclude values from entries in the Sync Destination. |
DS-17576 | Updated the Server SDK's ServerContext to expose a ValueConstructor, which build String values by using a value-pattern template that references attribute values within an entry. For more information, refer to the Javadoc for the ValueConstructor class that is included with the Server SDK packaging. |
DS-17652 | Fixed an issue in which attribute matching rules were not applied appropriately during synchronization. |
DS-17653 | Addressed an issue in which the server would throw a
NullPointerException if a
com.unboundid.directory.sdk.sync.api.SyncSource implementation
did not set a modifier's name in a generated ChangeRecord . |
DS-17668 | Sync correlation attributes now support correlating using JSON keys within JSON attribute values. A JSON key can be referenced with syntax <attribute-name>>.<JSON-key>>. If a JSON correlation attribute is used but the JSON key does not exist for the source or destination entry, or if the considered source or destination entry does not possess valid JSON data, the destination entry considered entry is not matched. |
DS-17688 | PingDataSync Server now supports the synchronization of particular fields within JSON attributes. The JSON Attribute configuration object controls the manner in which fields are synchronized, as well as the manner in which source and destination values are correlated. |
DS-17689 | Sync constructed attribute mappings now support extracting JSON fields within
JSON attributes by appending . , and then the JSON field, to extract
to the attribute name. For example, if the JSON attribute is
ubidEmailJSON and the value field is to
be extracted, then ubidEmailJSON.value can be specified for the
attribute name, resulting in {ubidEmailJSON.value} or, if a
regular expression is used,
{ubidEmailJSON.value:/regex/replacement/flags}. |
DS-17693 |
Constructed attribute mappings now support modifiers that alter the value of referenced source attributes when added to the end of source attribute references. For example, if the attribute mail is to be included in a constructed JSON value, the modifier jsonEscape can be specified, resulting in {{"userMail":{mail:jsonEscape} }} or, if a regular expression is used, {{"userMail":{mail:/regex/replacement/flags:jsonEscape} }}. Note: {{ expands to {, and
}}}} expands to '}.
The following modifiers are available:
|
DS-17697 | Added additional support to PingDataSync Server for synchronizing Active Directory Groups that contain more than 1,500 members. |
DS-17711 | PingDataSync Server now logs an error and continues processing if it encounters a corrupted changelog entry. Previously, the server threw an exception continually and stopped processing subsequent changes. |
DS-17741 | LDAP referral entries are now synchronized as a raw entry rather than trying to follow the referral. |
DS-17742 | LDAP changelog-based Sync Sources, such as the DSEE Sync Source, no longer fetch source entries when none of the Sync Source's configured base-dn values contains the targetDN in the corresponding changelog entry. This change reduces the load that is placed on the source directory servers. |
DS-17936 | PingDataSync Server now tries to use the source schema, if available, when the destination schema is unavailable. |
DS-17968 | Limited the ACI search on the collect support data tool to pull only 100 entries. This change reduces the amount of time the tool requires to run for organizations with a large number of ACIs. |
DS-17993 | Added additional logging to PingDataSync Server for cases in which attribute mapping fails. The synchronization operation is not halted. |
DS-18003 | Updated the Server SDK so that HTTPServletExtensions can be installed on PingDataSync Server instances. |
DS-18026 | Fixed an issue that involved setting the sync connect and response timeouts with incorrect units of time. |
DS-18100 | A license key is required when setting up a server for the first time. Important: To request a license, visit the Ping Identity licensing website or contact sales@pingidentity.com.
|
DS-18136 | Enhanced the LDAP Sync Destination to allow administrators to configure options
for synchronizing user passwords with clear-text, in cases where the LDAP Server
does not support pre-encoded password synchronization. Setting
password-synchronization-format:clear-text on the LDAP Sync
Destination now enables the clear-text synchronization of passwords. By default,
passwords are synchronized only in the clear over a secure connection. To override
this option, set
require-secure-connection-for-clear-text-passwords:false on the
LDAP Sync Destination. |
DS-18169 | Fixed an incompatibility between Java and PKCS12 trust stores and keystores that caused an error during PingDataSync Server installations. |
DS-18188 | Removed the ability to create custom HTTP trace loggers by using the Server SDK. |
DS-18199 | Updated the default configuration of the File-Based Access Logger (logs/access) so that requests from peer PingDataSync instances are no longer suppressed. This approach simplifies the troubleshooting of connection and health-checking issues between server instances. |
DS-35495 | Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches that are required to retrieve the full configuration when pre-validating configuration changes. |