Resolved Issues

The following issues have been resolved with this release of PingDirectoryProxy Server:

Ticket ID Description
DS-811 Added an optional reason parameter for dsconfig changes that will be automatically included in the server's config-audit.log file.
DS-1029 The server now monitors important certificates used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. An alarm is raised and alerts are sent when a monitored certificate is 30 days from expiration.

Updated the installer to discourage the use of weak root passwords.

When run in interactive mode, setup will display a list of password quality recommendations before prompting for the initial root password, suggesting that it should be at least 12 characters long, should not be contained in a dictionary of English words, and should not be contained in a dictionary of commonly-used passwords. If the proposed password does not meet these constraints, then the user will be given the option of proceeding with the provided weak password or choosing a different password.

When run in non-interactive mode, setup will exit with an error if the proposed initial root password does not satisfy the above constraints, unless the command line also includes the --allowWeakRootUserPassword argument.

In either mode, when a strong initial root password is supplied, setup will also configure the root users' password policy to ensure that subsequent root user passwords will also be required to satisfy these constraints.

DS-4161 Updated PingDirectory Server, PingDirectoryProxy Server, PingDataSync, and PingDataGovernance with the capability to run as Windows Services.

Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.

Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone looking at the configuration file and so that the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value, and this mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear.

DS-10748 Added configuration options for setting the SSL Protocol and/or the SSL Cipher Suites to the HTTPS Connection Handler.
DS-11217 The Globally-Unique Attribute Plugin has a new multiple-attribute behavior option named "unique-in-combination." When selected, this option ensures the uniqueness of combinations of values for the configured attributes. For example, if no two users may have the same value for both givenName and sn, but users may have the same givenName or the same sn, use unique-in-combination.
DS-12520 Updated the Server SDK to include an example plugin that enforces that values of a specified JSON field are unique across entries or across multiple values within the same entry. The plugin can be used in either the Directory Server (for cases in which each server contains a complete copy of the data) or the Directory Proxy Server (for cases in which the data is spread across multiple servers, like when using entry balancing).
DS-13721 Corrected the port number returned in the error message that is displayed when an administrator is trying to set up a server that is already running.
DS-14650 Enhanced the HTTPS Connection Handler to send a HTTP Strict Transport Security header by default in all responses.
DS-15861, DS-15862 Replaced the ldapsearch and ldapmodify tools with new versions. The new versions are backward-compatible, but offer a number of new features, including better connection handling, better output formatting, better support for bulk operations, support for referrals, support for additional request and response controls, and rate limiting. The ldapsearch tool now offers the ability to output results in JSON, CSV, or tab-delimited text as an alternative to LDIF, and provides support for a number of data transformations. The ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files.
DS-15871 Improved support for password modify extended requests processed through the Directory Proxy Server. Those operations will now be processed more reliably and the results will be more consistent with the results obtained from sending the requests directly to a Directory Server instance.

Updated the server to fix a problem with the way that DNs containing hex-encoded RDN values are treated, which could cause the server to accept certain incorrectly encoded DNs, to incorrectly store DNs provided with hex encoding, and to fail to identify the correct DN when using a non-hex-encoded DN to reference a DN that was stored with a hex-encoded representation or when using a hex-encoded DN to reference a DN that was stored with a non-hex-encoded representation.

Using hexadecimal encoding in DNs is very rare in practice, so this should have no effect on most deployments. However, any deployments that contain entries stored with hex-encoded DNs, whether used in the DN of the entry or as a value for an indexed attribute with a DN syntax, may need to export that data before performing an update and re-import that data after the update has completed.

DS-16405 The SNMP context name for the server can now be configured using the new context-name property of the SNMP Subagent Plugin. The server instance name remains the default context name when this property is not set.
DS-16509 Updated the access and audit loggers so that, when logging information about an internal operation that was triggered by an external client request, the log message will include the connection and operation ID for that request. Also updated the error logger so that when logging a message from a thread that is actively processing an operation, the log message will include the connection and operation ID for that operation.
DS-16593 Fixed an issue where incorrect names were displayed in the usage for the start scripts.
DS-16789 The script files used to stop and start the server have been renamed stop-server and start-server. The older scripts are still present but may be removed in a future release of the product.
DS-16858 The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made.
DS-16906 Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend.

Updated support for the UNBOUNDID-MS-CHAP-V2 SASL mechanism to make it easier for an intermediate application to support delegating MS-CHAPv2 authentication to the Directory Server. This includes:

  • The client SDK has been updated to make it easier to issue separate bind requests for each phase of the two-step authentication process. Previously, the API only exposed a single bind request that would perform both stages of the process.
  • A new "proxied MS-CHAPv2 details" request control has been provided, which can be used to allow an intermediate application acting as an MS-CHAPv2 server to generate its own server challenge rather than obtaining one from the Directory Server.
  • The client SDK has been updated to improve the javadoc documentation. A number of examples are included to demonstrate the process of using the SDK to authenticate with the UNBOUNDID-MS-CHAP-V2 mechanism. The README file has also been updated with instructions for enabling server-side support for the UNBOUNDID-MS-CHAP-V2 mechanism.
DS-17008 Fixed an issue that could impede the timely replication of subtree-delete requests contained in a transaction.
DS-17019 The server now requires Java version 8.
DS-17078 Updated a couple of cases where filtered SCIM searches for groups with missing members were not returned.
DS-17080 Improved error reporting for the manage-extensions tool.

Updated the logic used to select which TLS cipher suites should be enabled by default, and the logic used to prioritize those cipher suites. The selection process has been updated to use the guidelines provided in the OWASP "Transport Layer Protection Cheat Sheet" document.

Some of the changes include:

  • The server already preferred cipher suites that support forward secrecy over those that do not. It now prefers DHE over ECDHE, and avoids suites that use non-RSA keys.
  • The server already avoided cipher suites that used known-weak cryptographic weaknesses, including null encryption, the RC4 symmetric cipher, and the MD5 digest algorithm. It now also avoids anonymous encryption, the single-DES symmetric cipher, the IDEA symmetric cipher, and any suite using export-level encryption.
  • The server now prefers cipher suites that use the Galois/Counter Mode (GCM) over the Cipher Block Chaining (CBC) mode.
  • The server now prefers AES-based cipher suites with 256-bit keys over those that use 128-bit keys. For suites with equivalent key sizes, it prefers suites with a stronger message digest algorithm over suites with a weaker digest algorithm (e.g., SHA384 over SHA256 over SHA).
  • The server now provides better support for selecting and prioritizing ciphers when running on the IBM JVM. The IBM JVM uses somewhat different naming for its cipher suites than the Oracle implementation, which previously allowed certain desirable suites to not be included in the selected set.
DS-17241 The Administrative Console is no longer compatible with older versions of the server.

Added support for a uniqueness request control, which can be included in an add, modify, or modify DN request to indicate that the server should attempt to identify any conflicts that the requested operation might introduce with one or more other entries that exist within the directory topology.

Criteria for identifying conflicts can be specified with one or more attribute types, with a search filter, or both. If the uniqueness criteria includes multiple attribute types, then a multiple attribute behavior can be used to indicate whether to enforce uniqueness separately for each attribute type, to prevent conflicts across any of the specified attribute types, or to ensure that each entry has a unique combination of the values of those attributes.

The server can perform pre-commit validation, in which case it will reject the request without applying any changes if it detects that it would have introduced a conflict, and it can also perform post-commit validation, where it can detect conflicts that may have arisen after changes were applied (for example, because of another change being processed at the same time on a different server). When attached to a request sent through the PingDirectoryProxy Server, the uniqueness request control may include pre-commit and post-commit validation levels to indicate how thoroughly it should work to identify conflicts (for example, to perform the search in a single backend server, in at least one server in each backend set, or in all available backend servers).

The control can also include a base DN that can be used to narrow the scope of conflict detection (for example, to ensure that there will not be any conflicts within one particular branch, while ignoring conflicts with entries that might exist elsewhere in the DIT), and it can detect or ignore conflicts with soft-deleted entries. Multiple uniqueness controls can be included in the same request if multiple uniqueness constraints should be enforced.

DS-17318 Removed the default root password from the out-of-the-box configuration. This password was never actually used because it was replaced by the user-supplied password provided when running setup, and it has been removed for additional security.

Updated the server to reduce the use of the SHA-1 message digest. The server will now use a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:

  • When hashing or signing a backup.
  • When signing an LDIF export.
  • When signing log data.
  • When generating MACs for an encrypted collect-support-data archive.
  • When generating unique identifiers for encryption settings definitions.
  • When determining whether the configuration changed with the server offline.

In all of the above cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into older versions of the server.

Also, the fingerprint certificate mapper has been updated so that it can use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.

Finally, the example enhanced password storage scheme provided with the UnboundID Server SDK has been updated so that it uses the 256-bit SHA-2 digest instead of a SHA-1 digest.

DS-17463 Updated the Admin Alerts Health Check to tolerate an incorrect LDAP result code returned by Active Directory when testing for the existence of cn=alerts. With this change, having use-for-all-servers=true configured on the Admin Alerts Health Check will no longer cause Active Directory servers to be flagged as UNAVAILABLE.
DS-17544 The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/, located in the server root.
DS-17576 Updated the Server SDK's ServerContext to expose a ValueConstructor, which can be used to build String values using a value-pattern template that references attribute values within an Entry. See the Javadoc for the ValueConstructor class with the Server SDK packaging for more information.
DS-17606 Fixed an issue in the fingerprint, subject attribute to user attribute, and subject DN to user attribute certificate mappers. When configured for use in processing SASL EXTERNAL bind requests, these certificate mappers would return the target user entry without any operational attributes. This could cause the server to behave incorrectly for any user-specific functionality that depends on operational attributes to function properly. This problem did not affect the subject equals DN certificate mapper, nor any custom certificate mapper implemented with the Server SDK.
DS-17716 Addressed an issue where LDAP throughput and response time data were not available for tracked applications configured in the Directory Proxy Server. The problem occurred when the applications were identified by user entries stored in a Directory Server that was referenced by a proxying request processor where a value of 'true' was configured for the assign-client-connection-policy-from-backend-server setting.
DS-17880 Fixed an issue that could prevent an entry-balaned Directory Proxy Server from returning a get password policy state issues response control in response to a failed bind attempt. Also, updated the access logger to include additional details in FORWARD-FAILED messages, including matched DN, referral URLs, and response controls.
DS-17968 Limited the ACI search on collect support data tool to only pull 100 entries. This will reduce the time the tool takes to run for organizations with a large number of ACIs.
DS-18016 Added support for the X-Forwarded-Prefix header to override the context path of operations processed by Http Servlet Extensions.

Added support for the password update behavior request control, which allows requesters with the password-reset privilege to override certain behaviors that the server would normally exhibit when setting a user's password. The control can be included in an add request, modify request, or password modify extended request and can be used to override the server's normal behavior for any or all of the following:

  • Whether the password update is a self change or an administrative reset
  • Whether to accept or reject pre-encoded passwords
  • Whether to perform or skip password quality validation for the new password
  • Whether to check to see if the new password matches the current password or any password in the user's history
  • Whether to enforce or ignore the minimum password age constraint
  • Which password storage scheme to use when encoding the new password
  • Whether the user must be required to choose a new password before being permitted to request any other operations
DS-18100 A license key is required when setting up a server for the first time. Request a license key through the Ping Identity licensing website or contact
DS-18142 Round-robin load-balancing algorithm has been deprecated. The fewest-operations load-balancing algorithm should be used instead since it utilizes a pool of servers more efficiently than a simple round-robin algorithm.
DS-18185 Addressed an issue in the Server SDK where internal searches performed by extensions could fail in entry balanced environments. An internal search listener was not properly synchronized and could become corrupted when accessed by multiple threads when doing a broadcast search.
DS-18188 Removed the ability to create custom HTTP trace loggers using the Server SDK.
DS-35495 Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches required to retrieve the full configuration when pre-validating configuration changes.