Upgrade Considerations

Important considerations for upgrading to this version of the PingDirectoryProxy Server:

  • The summarize-config tool is deprecated, and will be removed in future versions of the product. Use the config-diff tool with the "sourceBaseline" argument to list a summary of changes to the local server configuration.

What's New

These are new features for this release of the PingDirectoryProxy Server:

  • Added initial support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. Indexing options are currently limited. Please see the full release note below for DS-12138.

Resolved Issues

The following issues have been resolved with this release of the PingDirectoryProxy Server:

Ticket ID Description

Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired).


Added the ability to configure the Globally-Unique Attribute and Unique Attribute plugins with a filter to limit attribute uniqueness checking to a subset of matching entries.


Reduced the memory overhead of debug logging in high throughput environments by sharing logging buffers across multiple threads.


Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.

Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration.


Updated the Configuration API output where properties and their values are listed to include those that are undefined.


Added support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. The syntax requires that each value of this type is a valid JSON object. Two matching rules have also been added for use in conjunction with the JSON object syntax: jsonObjectExactMatch and jsonObjectFilterExtensibleMatch.

The jsonObjectExactMatch equality matching rule is used in evaluating equality filters in search operations, as well as for matching performed against JSON object attributes for add, compare, and modify operations. It determines whether two values are logically-equivalent JSON objects. The field names used in both objects must match exactly (although fields may appear in different orders). The values of each field must have the same data types. String values will be compared in a case-insensitive manner. The order of elements in arrays will be considered significant.

The jsonObjectFilterExtensibleMatch matching rule can perform more powerful matching against JSON objects. The assertion values for these extensible matching filters should be JSON objects that express the constraints for the matching. These JSON object filters are described in detail in the Javadoc documentation (available in the Commercial Edition of the UnboundID LDAP SDK for Java) for the com.unboundid.ldap.sdk.unboundidds.json.JSONObjectFilter class and its subclasses. Although the LDAP SDK can facilitate searches with this matching rule, these searches can be issued through any LDAP client API that supports extensible matching.

Indexing is supported only for the jsonObjectExactMatch matching rule. If possible, non-baseObject searches that use the jsonObjectFilterExtensibleMatch matching rule should be wrapped in an LDAP AND filter that also contains one or more indexed components so that the search can be processed more efficiently.


The setup tool has been updated to use HTTPS for initial configuration. Unsecure HTTP can be enabled post-setup, or by using non-interactive setup.


Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it.


The Configuration API has been updated to support filtering, sorting, and paging for object list operations. See the Administration guide for usage.


Fixed an issue where changes to SMTP External Server configurations did not take effect until after a server restart.


Addressed cases where some messages may be suppressed in logs and alerts.


Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised.


SCIM, through proxy, does not support pagination. Pagination requires the use of VLV and Server Side Sort controls, which are not natively supported by the Identity Proxy Server. The SCIM proxy configuration script incorrectly included these controls in the ACI and supported controls sections. These have now been removed.


Added support for running on Oracle Java 8 and OpenJDK 8 platforms.


Added logging of all HTTP requests disallowed due to CORS. This should make it easier to debug HTTP 403/Forbidden errors.


Fixed an issue where using the RouteToBackendSetRequestControl with an incorrect entry-balancing request processor ID could result in a NullPointerException.


Updated the server to avoid the use of the server-side sort and virtual list view request controls in search requests that span multiple subtree views or multiple entry-balanced backend sets. If the server cannot honor a non-critical server-side sort or virtual list view control, then it will process the search operation as if the control had not been included in the request. If the server cannot honor a critical server-side sort or virtual list view control, then it will return an error result to the client.


Update the Detailed HTTP Operation Log Publisher to log the correct return code (404 NOT FOUND) when a request is not handled by defined endpoints.


The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state.


Added support for three new extended operations for interacting with single-use tokens:

- The "get supported OTP delivery mechanisms" operation provides information about which one-time password delivery mechanisms are configured in the server, and which of those are available for a specified user.

- The "deliver single-use token" operation can generate a token value and provide it to a specified user through an out-of-band communication mechanism like email, SMS, or voice call.

- The "consume single-use token" operation indicates that the user has received a single-use token from the "deliver single-use token" operation, and to consume that token so that it cannot be reused.


Fixed an issue where the Proxy Server returned an incorrect result code when attempting to add an entry that already exists more than one level below an entry balancing base DN. The Proxy Server in some cases would incorrectly return NO_SUCH_OBJECT rather than ENTRY_ALREADY_EXISTS.


Fixed an issue where configuring numeric IPv4 address filtering by connection criteria in a log publisher performed unnecessary reverse host name lookups.


MakeLDIF templates now have the ability to escape special characters curly braces, angle brackets, and square brackets using a backslash. See config/MakeLDIF/examples-of-all-tags.template for further examples.


Fixed an issue that would result in long server startup when many locations and load balancing algorithms are defined.


Fixed a rare condition that might cause the logger rotation and retention thread to exit under heavy file system load or a network file system outage.


Improved server locking used by dsconfig in offline batch mode, so that the server lock is held for the entire batch duration, instead of for each invocation. Also, reduced the probability of contention for file locks used by server tools to determine the server status.


The Proxy Server processing for Third-Party Proxied Extended Operation Handlers has been changed for extended operations containing "Route To Backend Set" request controls. The default behavior is now to process the operation only on backends in the entry-balancing request processors specified in the request controls. The old behavior to process on backends in other request processors too may be obtained through the advanced "route-to-backend-set-behavior" configuration property on the Third-Party Proxied Extended Operation Handler.