What's New

These are new features for this release of the PingDirectoryProxy Server:

  • Java 7 is now required when setting up a new server or upgrading an existing server.

  • Added a poll-backend-servers-for-global-index-changes configuration property to allow the entry-balancing request processor to retrieve information about changes processed in backend servers and keep the global index up to date. All backend servers must be configured to maintain an LDAP changelog if this feature is enabled.

  • Added Server SDK support for creating custom server affinity providers.

  • Enabled support for the SSLv2Hello TLS protocol by default in JVMs that support it. This does not enable support for the insecure SSLv2 protocol, but it can improve compatibility with clients running older versions of Java that may start TLS negotiation with an SSLv2 client hello packet before negotiating to a higher version of the TLS protocol. Support for SSLv2Hello in the initial phase of negotiation does not in any way compromise the strength of the integrity and/or confidentiality protection that is ultimately negotiated between the client and the server.

  • Added a Monitor History plugin that periodically records cn=monitor to timestamped files to aid in isolating intermittent problems. By default, it logs the full cn=monitor branch every five minutes to compressed files within logs/monitor-history/. Files are deleted automatically, but a sparse set of older files are kept to provide historical perspective on server performance. The collect-support-data tool has also been updated to collect a few of these files to aid in root cause analysis.

  • The default SCIM base context path changed from / to /scim. Any clients using the previous base context path will no longer be able to access SCIM services until they are updated. The following dsconfig command may be used to revert to the previous base context path after update:

    dsconfig set-http-servlet-extension-prop --extension-name SCIM --set base-context-path:/

  • Introduced the Configuration HTTP Servlet Extension, which can be used for querying and updating the configuration over a REST API. This feature is currently experimental and is subject to change in the future. Your feedback is welcome.

Known Issues/Workarounds

The following are known issues in the current version of the PingDirectoryProxy Server:

  • For Entry Balancing deployments referencing custom schema in the Global Attribute Index, the attributes should be defined in the Proxy's schema as well as the external Datastore.

Resolved Issues

The following issues have been resolved with this release of the PingDirectoryProxy Server:

Ticket ID Description
DS-8368,DS-12120

Updated the HTTP Connection Handler to return a 404 Not Found response to requests for endpoints not handled by any servlet or web application extensions. Previously the hander would return a 200 OK with no response body.

DS-10441

Disabled log rotation during startup to prevent potential problems with rotation dependencies on server components that have not yet been initialized.

DS-10460

Fixed the dsconfig tool to suppress all stray output when run in batch mode with the --quiet option.

DS-11068,DS-11784,DS-11887

Updated the setup tools to enable definition of external server instances that are configured to reject unauthenticated requests. Previously the tools would erroneously indicate these servers were unavailable.

DS-11122

The PingDirectoryProxy Server will now periodically persist the global index to a file, and optionally prime the global index from the persisted file when the server is restarted.

DS-11138

Fixed an issue where deleting values of a multi-valued attribute using SCIM PATCH could silently fail. Modifications in SCIM PATCH are now mapped directly to LDAP modifications to take advantage of the matching rules configured in the Identity Datastore, when matching deleted values. Since the SCIM PATCH is now applied by the Datastore, the Permissive Modify Request Control (1.2.840.113556.1.4.1413) is now required by the SCIM component. This will ensure that adding an existing value or deleting a non-existent value in the PATCH request will not result in an error.

To continue using SCIM component after an upgrade of the PingDirectory Server or PingDirectoryProxy Server, access controls and configuration may need to be updated to allow access to the Permissive Modify Request Control.

Directory:

dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12 || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

Proxy:

dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12 || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

dsconfig set-request-processor-prop --processor-name dc_example_dc_com-req-processor --add supported-control-oid:1.2.840.113556.1.4.1413

Note that "dc_example_dc_com-req-processor" is the default processor name and it may be different depending on your configuration.

Identity Broker: For each directory used as an user store, the following configuration changes are required:

dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2||1.3.6.1.4.1.30221.2.5.3||1.3.6.1.4.1.30221.2.5.25||1.2.840.113556.1.4.1413||1.3.6.1.4.1.30221.2.5.5||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319")(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'

dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2||1.3.6.1.4.1.30221.2.5.3||1.3.6.1.4.1.30221.2.5.25||1.2.840.113556.1.4.1413||1.3.6.1.4.1.30221.2.5.5||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319||1.2.840.113556.1.4.1413")(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'

Note that the user DN "cn=Broker User,cn=Root DNs,cn=config" is default user name created when the external store is prepared. It may be different depending on your configuration.

DS-11396

Updated gauge alert details to include the last threshold value that was crossed.

DS-11402

Reduced the Proxy Server's global index memory use by tokenizing the attribute type in the RDN index and compacting indexed attribute values for syntaxes that support it, such as integer, hex string, and bit string syntaxes.

DS-11406

Added the ability for a Server SDK extension, such as a Plugin, to register for notifications when an operation completes using the OperationContext#registerOperationCompletedListener() method.

DS-11453

Reduced the severity of the "unrecognized alert type" message in the error log from SEVERE_WARNING to NOTICE. The message now states that this is expected if the server is reverted to a version prior to the implementation of these alert types.

DS-11472

Fixed the gauge configuration manager to only re-initialize the gauge that was changed, and not any of the other gauges that did not change.

DS-11541

Fixed the alarm manager to generate alarm-cleared alerts when internal alarms are cleared and the alarm manager's generated-alert-types property has the "alarm" value.

DS-11546

Fixed the alarm manager to not include the details of the old alarm, (the alarm being cleared), in the "alarm-cleared" alert message.

DS-11564

Updated the uninstall tool so that it unregisters the local server from any configured peer servers.

DS-11565

Updated the javadoc for the Example Overload Handler plugin to include the argument "invoke-for-internal-operations" with a value of "false" during the plugin creation. Previously, the plugin, when enabled, would drop internal queries to the monitor backend initiated by the gauge state provider.

Fixed an issue in the Example Overload Handler plugin's applyConfiguration method, where when any changes were made to the plugin's configuration itself (such as adding a new pre-parse type), it would drop requests because we were doing an LDAP search for the gauge argument in the config backend over a client connection, instead of using an internal connection.

Fixed an issue where when the Example Overload Handler plugin was disabled and then re-enabled, an IllegalStateException occurred because the monitor provider that publishes drop stats was previously registered.

DS-11624

Updated the Web Console so that upon login, the user's old session is always invalidated.

DS-11629,DS-11645

Updated the Web Console to suppress LDAP responses in user messages, such as when the server is unavailable or for authentication failures. Also added a context parameter to exclude stack traces and detailed error messages from appearing in the application's internal error page.

DS-11637

Updated the alarm manager to not generate "alarm-normal" alert when a gauge's condition abates

DS-11642

Updated the entry-balancing request processor to reject atomic multi-update requests that have one or more changes targeting entries at or outside of the balancing point.

DS-11688

Fixed an issue in which tools such as dsconfig, status, and dsreplication could not connect to the server over SSL or StartTLS. This occurred when a certificate was accepted with the 'Manually validate' option, while using the interactive LDAP connection menu.

DS-11719

Updated the alarm manager to not persist normal alarms.

DS-11719

Updated the ExampleOverloadHandlerPlugin to monitor the alarm backend for delete actions, so that it can react appropriately to abating gauge conditions.

DS-11730

Removed the "alarm-normal" alert.

DS-11738

Updated the server so that alarm-cleared, alarm-warning, alarm-minor, alarm-major, and alarm-critical alerts are not subject to duplicate alert suppression. Separate alert notifications of these types may represent distinct conditions and resources that should not be suppressed.

DS-11751

Fixed incorrect property references for trustStorePassword and keyStorePasswordFile in tools.properties that corresponded to the wrong argument names.

DS-11755

Updated the HTTP Detailed Access logger to use timestamps with millisecond precision.

DS-11782

Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.

SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.

It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination.

DS-11837

Updated numeric gauges so that their severity changes when the current gauge value equals the threshold's exit value. Previously the value had to be strictly less than the exit value for the severity to change.

DS-11850

Updated the PingDirectoryProxy Server to return a "size limit exceeded" result for a baseObject search that matches multiple entries because entries with the same DN exist in multiple entry-balanced backend sets. Previously, the server could return multiple entries, which is undesirable for a baseObject search.

DS-11868

Fixed an issue where the server would hang during startup due to a previous unexpected service outage resulting in an empty tasks.ldif file.

DS-11879

Fixed the index rebuild job so that it does not generate redundant "index-degraded" alerts when an index is being rebuilt.

DS-11959

Updated the HTTP/HTTPS connection handler to Jetty 8.1.16.v20140903.

DS-11993

Added a gauge to the server to track JVM memory usage and alert if the amount of free memory gets low enough that it could impact server performance.

DS-12000

Fixed an issue where attempting to cancel many outstanding proxy operations could make the proxy server unresponsive.

DS-12002

Updated the proxy server to limit the number of parallel threads that will be created to process entry balancing operations that must be broadcast. In configurations with a large number of worker threads or a large number of backend sets, this keeps the server from creating too many threads.

DS-12077

Improved the PingDirectoryProxy Server's handling for the rare case in which a number of backend server connections become invalidated, but that backend server still accepts connections and those newly-established connections can be successfully used to process operations.

DS-12077

Updated the server to perform a health check against an entry-balanced backend server in the event of a failure while processing a broadcast operation.

DS-12147

Updated the server to make it easier to control the order of values in the ssl-protocol and ssl-cipher-suite properties in the LDAP connection handler and crypto manager configuration objects.